Cookie-based auth

[dokterbob]

Implementation of #1520

[dokterbob]

There's currently E2E test failures in:

• [ ] chat_profiles
• [ ] data_layer
• [ ] header_auth
• [ ] password_auth

This is kind of to be expected, given the scale of this refactor.

In addition, we need to make sure that files are served from a place which does not have API access, e.g. the files should really be untrusted. Otherwise, an LLM or whoever uploads files could call the Chainlit API on the user's behalf by crafting malicious HTML with JS.

To get there, we need to:

• [ ] Serve the API from a single root/prefix, e.g. /api/.
• [ ] Serve files from another, e.g. /files/.
• [ ] Set auth cookie with path=/api/, allowing acces to the API only. Including file uploads.
• [ ] Set another auth cookie with path=/files/, allowing only GET (and perhaps HEAD) to files.
• [ ] For legacy support, add a permanent redirect from the current file API location to the new location (and give a deprecation warning when redirecting).

This would be a good moment to 'go all in' in terms of file security. We could also postpone this to a later PR and/or explicitly document that files in their current implementation should not come from untrusted sources (e.g. AI-generated or from 3rd parties).