Tenant API response cleanup

[pdeziel]

Scope of changes

This makes a pass at standardizing some of the tenant API responses. In this PR:

1. Endpoints were updated to use the shared orgIDFromContext method which saves a bit of code and standardizes the error responses when trying to parse the orgID from the user's claims.
2. If the requested object is not in the user's organization, we now return 404 instead of 403. This is a security thing to avoid leaking information about objects in other organizations to the user. For example the user could create a request with a projectID that's not in their organization. Even though they wouldn't be able to retrieve it, they could still gain information about whether the projectID exists based on the response (and potentially attempt malicious things with it).

Fixes SC-14066

Type of change

• new feature
• bug fix
• documentation
• testing
• technical debt
• other (describe)

Acceptance criteria

Please review that the responses make sense to you.

Author checklist

• I have manually tested the change and/or added automation in the form of unit tests or integration tests
• I have updated the dependencies list
• I have recompiled and included new protocol buffers to reflect changes I made
• I have added new test fixtures as needed to support added tests
• Check this box if a reviewer can merge this pull request after approval (leave it unchecked if you want to do it yourself)
• I have moved the associated Shortcut story to "Ready for Review"

Reviewer(s) checklist

• Any new user-facing content that has been added for this PR has been QA'ed to ensure correct grammar, spelling, and understandability.
• Are there any TODOs in this PR that should be turned into stories?

[shortcut-integration]

This pull request has been linked to Shortcut Story #14066: Audit Tenant API error responses.

[daniellemaxwell]

Looks good!