(core) add an access token mechanism to help with attachments in custom widgets

Summary:
With this, a custom widget can render an attachment by doing:
```
const tokenInfo = await grist.docApi.getAccessToken({readOnly: true});
const img = document.getElementById('the_image');
const id = record.C[0];  // get an id of an attachment
const src = `${tokenInfo.baseUrl}/attachments/${id}/download?auth=${tokenInfo.token}`;
img.setAttribute('src', src)
```

The access token expires after a few mins, so if a user right-clicks on an image
to save it, they may get access denied unless they refresh the page. A little awkward,
but s3 pre-authorized links behave similarly and it generally isn't a deal-breaker.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Subscribers: dsagal

Differential Revision: https://phab.getgrist.com/D3488

app/server/lib/DocManager.ts

@@ -511,9 +511,12 @@ export class DocManager extends EventEmitter {
     return await db.getRawDocById(docName);
   }
 
-  private async _getDocUrl(doc: Document) {
+  private async _getDocUrls(doc: Document) {
     try {
-      return await this.gristServer.getResourceUrl(doc);
+      return {
+        docUrl: await this.gristServer.getResourceUrl(doc),
+        docApiUrl: await this.gristServer.getResourceUrl(doc, 'api'),
+      };
     } catch (e) {
       // If there is no home url, we cannot construct links.  Accept this, for the benefit
       // of legacy tests.
@@ -526,8 +529,8 @@ export class DocManager extends EventEmitter {
   private async _createActiveDoc(docSession: OptDocSession, docName: string, safeMode?: boolean) {
     const doc = await this._getDoc(docSession, docName);
     // Get URL for document for use with SELF_HYPERLINK().
-    const docUrl = doc && await this._getDocUrl(doc);
-    return new ActiveDoc(this, docName, {docUrl, safeMode, doc});
+    const docUrls = doc && await this._getDocUrls(doc);
+    return new ActiveDoc(this, docName, {...docUrls, safeMode, doc});
   }
 
   /**