Pass user token when self-streaming from Webknossos

[valentin-pinkau]

Detailed Description

I have a wk dataset that has a layer with mags that have a path set, which is itself a zarr link to the same webknossos-datastore.
The layer is not public and wk fails to fetch the data. Could it analyze the zarr link and understand that it points to the data store itself (self-streaming) and in this case use the user token it received to also request the zarr data from itself? This way, self-streaming could succeed without explicit credentials in the json.

Here is a link to the problematic dataset:
https://scm.slack.com/archives/C5AKLAV0B/p1733150028983289

[fm3]

I think this should not be implemented using another Credential attached to the DataVault / VaultPath. Instead, every request should get passed the token context, and the HttpsDataVault reads should use this token if the requested uri is the datastore’s own. Not entirely sure in which abstraction layer this decision should happen (DataVaults don’t have the datastore config).

This way, the credentials don’t get cached across users.

I’d consider this blocked by #7839 since the TokenContext refactoring from there would change many lines here.