(core) clean up a collection of small problems affecting grist-core

Summary:
 * Remove adjustSession hack, interfering with loading docs under saml.
 * Allow the anonymous user to receive an empty list of workspaces for
   the merged org.
 * Behave better on first page load when org is in path - this used to
   fail because of lack of cookie.  This is very visible in grist-core,
   as a failure to load localhost:8484 on first visit.
 * Mark cookie explicitly as SameSite=Lax to remove a warning in firefox.
 * Make errorPages available in grist-core.

This changes the default behavior of grist-core to now start off in
anonymous mode, with an explicit sign-in step available.  If SAML is not configured,
the sign-in operation will unconditionally sign the user in as a default
user, without any password check or other security.  The user email is
taken from GRIST_DEFAULT_EMAIL if set.  This is a significant change, but
makes anonymous mode available in grist-core (which is convenient
for testing) and makes behavior with and without SAML much more consistent.

Test Plan: updated test; manual (time to start adding grist-core tests though!)

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2980

app/server/lib/gristSessions.ts

@@ -132,6 +132,8 @@ export function initGristSessions(instanceRoot: string, server: GristServer) {
     requestDomain: getCookieDomain,
     genid: generateId,
     cookie: {
+      sameSite: 'lax',
+
       // We do not initially set max-age, leaving the cookie as a
       // session cookie until there's a successful login.  On the
       // redis back-end, the session associated with the cookie will
@@ -144,7 +146,7 @@ export function initGristSessions(instanceRoot: string, server: GristServer) {
     store: sessionStore
   });
 
-  const sessions = new Sessions(sessionSecret, sessionStore, server);
+  const sessions = new Sessions(sessionSecret, sessionStore);
 
   return {sessions, sessionSecret, sessionStore, sessionMiddleware, sessionStoreCreator};
 }