CRASM-3443 Update token usage to cookie auth frontend and backend

[nickviola]

🗣 Description

Improve Auth Flow and token usage accross application. Http only needed to be set after new auth flow changes to imporove security.

💭 Motivation and context

Backend changes (FastAPI/Django layer)

Shift authentication usage toward cookie-based auth instead of passing tokens around manually (core goal of the PR).

• Advantage: Fewer places to mishandle tokens, more consistent auth flow across the app, and better alignment with secure cookie patterns (e.g., httpOnly cookies).

Update backend auth utilities and SAML auth handling (backend/src/xfd_django/xfd_api/auth.py, auth_saml.py).

• Advantage: Centralizes the “source of truth” for auth behavior and reduces drift between SAML login behavior and API request authentication.

Handle CSRF-protection edge cases more explicitly (backend code + tests)

• Advantage: Fewer surprise 403/401 issues in real environments, clearer behavior when CSRF headers/cookies are missing or invalid.

Make cookie-name resolution more predictable (commit message: “Update getting cookie name more predictable”).

• Advantage: Reduces flaky auth behavior across environments (local/staging/prod) and prevents bugs where different cookie names are expected.

Cleanup / consistency improvements (remove unused logic + standardize header constant usage).

• Advantage: Less unexpected behavior in the auth layer; easier and faster debugging.

Frontend changes (React)

Update frontend API calling pattern to align with cookie auth (touches AuthContext, AuthContextProvider, and useApi).

• Advantage: Frontend no longer needs to manually thread tokens through headers everywhere; fewer auth-related bugs and cleaner call sites.

Auth route/guard cleanup and simplification (changes to RouteGuard.tsx; removal/cleanup of AuthRoute usage).

• Advantage: Fewer redundant auth abstractions, less chance of double-handling redirects/guard logic, and clearer routing behavior.

Remove dead/commented code + remove unused AuthRoute exports (explicit commits: “Remove commented code…” and “Remove unused AuthRoute…”).

• Advantage: Smaller surface area to maintain; reduces confusion when troubleshooting auth/routing.

Test and tooling changes

Backend tests updated broadly to the new cookie-auth + CSRF-aware flow (many test modules updated: test_auth.py, test_api_key.py, test_organization.py, etc.).

• Advantage: Prevents regressions and ensures the new auth approach is enforced across endpoints.

Add/expand frontend unit tests around the updated auth + API hook behavior (useApi.test.ts, authContextProvider.test.tsx, routeGuard.test.tsx, plus test README).

• Advantage: Locks in expected behavior for the new flow and makes refactors safer.

Update Vite testing config (frontend/vite.config.mts).

• Advantage: Keeps the test runner aligned with the new auth/test patterns and reduces local vs CI mismatch.

Snapshot/test artifact cleanup (re-remove vulns snapshot).

• Advantage: Reduces noisy snapshot churn and helps CI signal real changes.

🧪 Testing

• Authenticate with application and confirm that token is no longer in local storage and instead is stored in id that is validated on backend (cookie management No actual usable token is stored in frontend or read hy Javascript.

• Confirm functionality and API calls from frontend aren't breaking.

• Confirm API key usage doesn't break.

• Get feedback on group for auth flow changes and take suggestions/feedback.

• Discuss Deployment potential issues and prepare for those scenarios.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• All future TODOs are captured in issues, which are referenced in code comments.
• All relevant type-of-change labels have been added.
• I have read the CONTRIBUTING document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.

[coveralls]

coverage: 43.727% (+0.6%) from 43.08%
when pulling 2632784 on CRASM-3443-refactor-auth-token-usage
into fa73a16 on develop.