[HCA DCP] Implement authorization code flow with Azul for HCA DCP dev

[frano-m]

Summary

Implement the OAuth 2.0 authorization code flow against Azul's /user/authorize endpoint for HCA DCP dev (ma-dev site-config), mirroring what was done for AnVIL in #4793 / #4796.

This was originally part of the scope of #4793 ("This should be implemented for HCA and AnVIL"); #4796 covered AnVIL only. This ticket tracks the HCA DCP dev half.

Context

• Original Azul change: Implement authorization code flow with Azul and Data Browser azul#7954
• AnVIL implementation (precedent): feat: implement authorization code flow with azul and data browser (#4793) #4796
• Reason for the switch: refresh-token support so curl download links don't expire after the implicit-flow access-token TTL — see cURL manifest command lines expire after only one hour azul#7945

Scope

• Update site-config/hca-dcp/ma-dev/authentication/constants.ts (the site-config that deploys to https://explore.dev.singlecell.gi.ucsc.edu/projects and is backed by the Azul dev instance at service.dev.singlecell.gi.ucsc.edu):
  • Switch flow to OAUTH_FLOW.AUTHORIZATION_CODE
  • Add authorize URL pointing at the HCA DCP dev Azul /user/authorize endpoint (https://service.dev.singlecell.gi.ucsc.edu/user/authorize)
  • Bump CLIENT_ID to 713613812354-aelk662bncv14d319dk8juce9p11um00.apps.googleusercontent.com per Hannes's comment on #4793 (confirmed in NoopDog's comment)
• Verify against the HCA DCP dev Azul deployment, mirroring the test plan in feat: implement authorization code flow with azul and data browser (#4793) #4796
• Other HCA environments (cc-ma-dev, dev, prod, ma-prod) remain on OAUTH_FLOW.IMPLICIT for now, per the "only Azul dev/anvildev should adopt this" guidance from Implement authorization code flow with Azul and Data Browser #7954 #4793

Out of scope

• HCA DCP prod (and other non-dev HCA envs) — to be tracked separately if/when the flow is rolled out beyond dev

Test plan

Mirror #4796:

• Login end-to-end on localhost:3000 against HCA DCP dev: POST to /user/authorize returns {access_token, id_token, scope, expires_in, token_type}; profile loads
• Logout clears state, datasets table reverts to public-only view
• Inactivity timeout still triggers
• Terra-side checks (userinfo, ToS, profile) still 200 with the access token

References

• Implement authorization code flow with Azul and Data Browser #7954 #4793 (parent / origin)
• feat: implement authorization code flow with azul and data browser (#4793) #4796 (AnVIL implementation)
• Implement authorization code flow with Azul and Data Browser azul#7954, cURL manifest command lines expire after only one hour azul#7945

[frano-m]

@hannes-ucsc — to wire this up for HCA DCP dev, I need the equivalent of what was used for anvil-cmg/dev in #4796:

• CLIENT_ID (Google OAuth client ID) for HCA DCP dev
• authorize URL (Azul /user/authorize endpoint) for the HCA DCP dev deployment

For reference, the AnVIL CMG dev values are:

const CLIENT_ID = "561542988117-3cv4g8ii9enl2000ra6m02r3ne7bgnth.apps.googleusercontent.com";

authorize: "https://service.anvil.gi.ucsc.edu/user/authorize"

Could you provide the HCA DCP dev equivalents when you get a chance? Thanks.

[hannes-ucsc]

I listed the client IDs on the ticket. And you should be able to infer the endpoint. It's the URL of the Azul instance plus /user/authorize. If the full endpoint URL is currently hard-coded (as suggested by your code excerpt), I would break that up into the standard Azul base URL plus the endpoint path so that the base URL isn't duplicated.