[HCA DCP] Implement authorization code flow with Azul for HCA DCP dev

[frano-m]

Summary

Implement the OAuth 2.0 authorization code flow against Azul's /user/authorize endpoint for HCA DCP dev, mirroring what was done for AnVIL in #4793 / #4796.

This was originally part of the scope of #4793 ("This should be implemented for HCA and AnVIL"); #4796 covered AnVIL only. This ticket tracks the HCA DCP dev half.

Context

• Original Azul change: Implement authorization code flow with Azul and Data Browser azul#7954
• AnVIL implementation (precedent): feat: implement authorization code flow with azul and data browser (#4793) #4796
• Reason for the switch: refresh-token support so curl download links don't expire after the implicit-flow access-token TTL — see cURL manifest command lines expire after only one hour azul#7945

Scope

• Update site-config/hca-dcp/dev/authentication/constants.ts:
  • Switch flow to OAUTH_FLOW.AUTHORIZATION_CODE
  • Add authorize URL pointing at the HCA DCP dev Azul /user/authorize endpoint
  • Bump CLIENT_ID to whatever is required for the new flow (TBC with @hannes-ucsc)
• Verify against the HCA DCP dev Azul deployment, mirroring the test plan in feat: implement authorization code flow with azul and data browser (#4793) #4796
• Other HCA environments (cc-ma-dev, ma-prod, cc-dev, etc.) remain on OAUTH_FLOW.IMPLICIT for now, per the "only Azul dev/anvildev should adopt this" guidance from Implement authorization code flow with Azul and Data Browser #7954 #4793

Out of scope

• HCA DCP prod (and other non-dev HCA envs) — to be tracked separately if/when the flow is rolled out beyond dev

Test plan

Mirror #4796:

• Login end-to-end on localhost:3000 against HCA DCP dev: POST to /user/authorize returns {access_token, id_token, scope, expires_in, token_type}; profile loads
• Logout clears state, datasets table reverts to public-only view
• Inactivity timeout still triggers
• Terra-side checks (userinfo, ToS, profile) still 200 with the access token

References

• Implement authorization code flow with Azul and Data Browser #7954 #4793 (parent / origin)
• feat: implement authorization code flow with azul and data browser (#4793) #4796 (AnVIL implementation)
• Implement authorization code flow with Azul and Data Browser azul#7954, cURL manifest command lines expire after only one hour azul#7945