(core) add an access token mechanism to help with attachments in custom widgets

Summary:
With this, a custom widget can render an attachment by doing:
```
const tokenInfo = await grist.docApi.getAccessToken({readOnly: true});
const img = document.getElementById('the_image');
const id = record.C[0];  // get an id of an attachment
const src = `${tokenInfo.baseUrl}/attachments/${id}/download?auth=${tokenInfo.token}`;
img.setAttribute('src', src)
```

The access token expires after a few mins, so if a user right-clicks on an image
to save it, they may get access denied unless they refresh the page. A little awkward,
but s3 pre-authorized links behave similarly and it generally isn't a deal-breaker.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Subscribers: dsagal

Differential Revision: https://phab.getgrist.com/D3488

app/server/lib/DocPluginManager.ts

@@ -6,7 +6,7 @@ import { createRpcLogger, PluginInstance } from 'app/common/PluginInstance';
 import { Promisified } from 'app/common/tpromisified';
 import { ParseFileResult, ParseOptions } from 'app/plugin/FileParserAPI';
 import { checkers, GristTable } from "app/plugin/grist-plugin-api";
-import { GristDocAPI } from "app/plugin/GristAPI";
+import { AccessTokenResult, GristDocAPI } from "app/plugin/GristAPI";
 import { Storage } from 'app/plugin/StorageAPI';
 import { ActiveDoc } from 'app/server/lib/ActiveDoc';
 import { DocPluginData } from 'app/server/lib/DocPluginData';
@@ -47,6 +47,13 @@ class GristDocAPIImpl implements GristDocAPI {
   public applyUserActions(actions: any[][]): Promise<ApplyUAResult> {
     return this._activeDoc.applyUserActions(makeExceptionalDocSession('plugin'), actions);
   }
+
+  // These implementations of GristDocAPI are from an early implementation of
+  // plugins that is incompatible with access control. No need to add new
+  // methods here.
+  public async getAccessToken(): Promise<AccessTokenResult> {
+    throw new Error('getAccessToken not implemented');
+  }
 }
 
 /**