Use private folder by default

[bruyeret]

The default is now the Private folder for everything. Also fix the datasets that are uploaded in the private folder, as the images didn't send the girder-token cookie because of the crossOrigin setting of images that was badly set. Also fix the default CORS allowed origins in girder, because a simple wildcard is not compatible with crossOrigin="use-credentials".

For exisiting builds, that use a different IP for the front end and girder: In girder (http://localhost:8080/):

• Go to Admin Console -> Server Configuration
• Go to Advanced Settings at the bottom and find CORS Allowed Origins setting
• Replace the * with the full adress of the backend (for example http://localhost:5173 or http://localhost:*), or even ** if it is in a private network
• Save the settings

Close #739

[arjunrajlab]

I think this mostly works. It worked on my AWS instance. When running the front end on localhost:5173, I had to set the CORS Allowed Origins to localhost:*. Is that right? I thought I only needed to do that if I had a static IP?

Just to be clear, it's not a problem to do it, I just want to make sure that is the intended behavior.

[arjunrajlab]

Also, perhaps unrelated, but when I make an AWS S3 assetstore, I get a bunch of 400 errors. The files themselves are actually placed in the assetstore, but it seems that it can't read them. I was able to read them from the AWS CLI, so I don't think it's a permissions issue.

[bruyeret]

If you run the frontend on localhost:5173 and only access it using localhost:5173, I would expect http://localhost:* to work but localhost:* to fail, but maybe the pattern matching doesn't work as I expected If you run the front end on a static IP machine, for example a.b.c.d:x and the backend on e.f.g.h:y, you should set the CORS Allowed Origins of girder to http://a.b.c.d:x or https://a.b.c.d:x (note the s in the protocol)

To test if it works, you have to:

• Use a machine that does not serve the front end and girder
• Create a dataset in a Private folder
• Open the dataset. If there are CORS errors in the console, there is an issue with the settings

[arjunrajlab]

Ah okay. So for a dev install, someone will have to change that in the Girder settings? Which is fine, I just have to add that to the instructions. I am wondering if it might be better is the default was localhost: so that it runs out of the box, and then we give instructions to change to if you want to run on a static IP or on AWS? I think most people who are installing for the first time would be running via localhost. But either is really fine.