feat: [hca dcp] implement authorization code flow with azul for hca dcp dev (#4805)

[frano-m]

Summary

Closes #4805.

• Switches hca-dcp/ma-dev to the OAuth 2.0 authorization code flow against Azul's /user/authorize endpoint, mirroring what was done for AnVIL in feat: implement authorization code flow with azul and data browser (#4793) #4796.
• Adds site-config/hca-dcp/ma-dev/authentication/{constants,authentication}.ts. getAuthenticationConfig takes the inherited auth config plus dataSourceUrl and overrides providers + services — same override pattern as hca-dcp/ma-prod. ma-dev's config.ts calls the override after makeManagedAccessConfig, passing config.dataSource.url so the authorize URL has a single source of truth (no hardcoded duplicate of DATA_URL).
• authorize URL is built with new URL("/user/authorize", dataSourceUrl).href so it handles dataSource.url carrying a trailing slash (which it currently does via ${dataUrl}/ in hca-dcp/dev/config.ts).
• CLIENT_ID is 713613812354-aelk662bncv14d319dk8juce9p11um00.apps.googleusercontent.com per Hannes's comment on #4793 (confirmed by NoopDog here).
• Per Hannes's "only Azul dev/anvildev should adopt this for now" guidance, other HCA envs (cc-ma-dev, dev, prod, ma-prod) stay on OAUTH_FLOW.IMPLICIT.

Note for review: cc-ma-dev is also backed by the Azul dev instance and could technically adopt the same flow, but per the ticket scope it's intentionally left on implicit for this PR. Happy to follow up if cc-ma-dev should also be switched — needs confirmation that the new client ID has https://ma-pilot.explore.data.humancellatlas.dev.clevercanary.com on its allowed-origins list in Google Cloud Console.

Test plan

Verified against HCA DCP dev (ma-dev build, locally against https://service.dev.singlecell.gi.ucsc.edu):

• Login end-to-end: POST /user/authorize returns {access_token, expires_in, id_token, scope, token_type}; profile loads (network trace confirmed userinfo, profile v1, termsOfServiceDetails all 200)
• Build: npm run build-ma-dev:hca-dcp succeeds
• Logout clears state, datasets table reverts to public-only view
• Inactivity timeout still triggers
• Terra-side checks (userinfo, ToS, profile) still 200 with the access token on a fresh session

[Copilot]

Pull request overview

Updates the HCA DCP managed-access dev site configuration to use Azul’s OAuth 2.0 authorization code flow (via /user/authorize), aligning with the existing AnVIL dev implementation and keeping other HCA environments on implicit flow.

Changes:

• Overrides hca-dcp/ma-dev authentication to use OAUTH_FLOW.AUTHORIZATION_CODE and an Azul-derived authorize URL.
• Introduces site-config/hca-dcp/ma-dev/authentication/{constants,authentication}.ts to encapsulate the auth override (providers/services) while inheriting the rest of the managed-access auth UI config.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
site-config/hca-dcp/ma-dev/config.ts	Applies an auth override for ma-dev after makeManagedAccessConfig, using config.dataSource.url as the single source of truth for the Azul base URL.
site-config/hca-dcp/ma-dev/authentication/constants.ts	Adds Google provider configuration for authorization-code flow and derives the Azul /user/authorize URL from dataSourceUrl; defines Terra service endpoints for dev.
site-config/hca-dcp/ma-dev/authentication/authentication.ts	Adds a helper to override inherited authentication config’s providers and services while preserving other inherited auth settings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.