fix auth problems permission boundaries

[amahuli03]

Description

This PR adds the infrastructure to separate admin access from regular authenticated access. Currently, since the only authenticated users are admin, we're treating any "logged in" users as admin.
changes:

• admin-only API endpoints check if a user is an admin with permissions.IsSuperUser
  • Before, it only checked if user haspermissions.IsAuthenticated
• on page reload, the reducer (in AUTHENTICATED_SUCCESS) was hardcoding isSuperuser: true without looking at the token
  • This PR fixes that by decoding the JWT from localStorage the same way LOGIN_SUCCESS handles the token
• A new AdminRoute component separates admin pages from pages that just require any authenticated user
• CORS is restricted to a configurable allowlist rather than allowing all origins
• add CORS_ALLOWED_ORIGINS=http://localhost:3000 to dev.env.example

Related Issue

Closes #484
Part of #483

Manual Tests

Admin permissions boundaries still work, I verified this by trying to access admin endpoints as an unauthenticated user as well as as an admin user.

Route protection works--trying to access admin pages as an unauthenticated user redirects to the login page as it should

Notes

If you have an existing dev.env, you'll need to manually add CORS_ALLOWED_ORIGINS=http://localhost:3000 to it.
Also, the CORS settings will have to be updated on the prod and sandbox env configurations once this deploys.
TODO: figure out exactly what this needs in sandbox and prod