Add spec-driven Swagger auth controls

[krowvin]

Summary

• Update the GUI to use Groundwork Water auth helpers for Swagger UI login
• Select the custom login method from the generated OpenAPI security schemes
• Add a login mode dropdown so users can switch between the custom login flow and Swagger's built-in Authorize controls
• Support localhost development by falling back to local Keycloak direct-grant auth when CWMSLogin is advertised but not reachable (It was showing in the security controls response)
• Fix localhost Keycloak dev redirect and healthcheck behavior

Validation

• npx.cmd eslint src/pages/swagger-ui/index.jsx --ext js,jsx --report-unused-disable-directives --max-warnings 0
• npm.cmd run build
• Tested manually on localhost against local CDA instance

Screenshots

With "CWBI Login" selected the locks on the swagger UI are not shown. The hope is to not add login confusion by default. While still allowing the option to authenticate via other means (API key/etc)

• AI Tools Used

[krowvin]

Few thoughts of my own with these changes

[krowvin]

I was wondering if this should be tailwind css? Preference?

[MikeNeilson]

What ever is inline with GWW and its usages by USACE?

[krowvin]

older GWW only supported direct grant

[krowvin]

I debated doing one single wildcard for the localhost proxy here

[MikeNeilson]

May as well so everything can be tested correctly locally by default.

[krowvin]

Sometimes it'll launch in loopback, othertimes it's localhost. Figured we'd have both.

[MikeNeilson]

Yep, 127.0.0.1 is the ostensibly "correct" way, but in local development mode having both will make life easier.

[MikeNeilson]

Sorry for the delay, thought the review had actually submitted thursday and it had not.

[MikeNeilson]

What ever is inline with GWW and its usages by USACE?

[MikeNeilson]

May as well so everything can be tested correctly locally by default.

[MikeNeilson]

Yep, 127.0.0.1 is the ostensibly "correct" way, but in local development mode having both will make life easier.

[rma-psmorris]

I don't think this should be done as the lock icon is informative as to what authentication is required by the endpoint. Swagger also doesn't have the best UI for their auth state (see swagger-api/swagger-ui#4402).

• No lock icon: the endpoint is public. Authentication is not involved with the operation.
• Gray unlocked lock icon: authentication is optional. The endpoint allows anonymous access, but also accepts authenticated requests if credentials are provided.
• Black locked lock icon: authentication is required. The endpoint cannot be called successfully without valid credentials.

The change you are implementing here by not displaying the lock icon suggests that all endpoints are public.
Also, CDA does not correctly define Swagger icon state for black locked lock icons -- but that is a separate issue (that I'm checking on to see if it needs an issue to be created).

[krowvin]

I'm good to remove the drop-down and leave a simple login button that logs you in via AAA or KeyCloak depending on the swagger spec.

@MikeNeilson

I'll do this unless you have thoughts on why we should leave locks out.

My thinking was to have users opt into the swagger locks if they want this route of auth. Intenteded for internal use. But I realize that won't always be the case.

[MikeNeilson]

The locks should stay. Definitely interested in the no/gray/black though. Long term there will be items that won't show up from GETs unless authenticated with the new authorization work.

[rma-psmorris]

Here is the existing lock issue: #1118