Add new middleware to handle epitrax auth

[vochaparro2]

PULL REQUEST

Hide ECR ID from URL for EpiTrax-authenticated sessions

Summary

• Adds withEpitraxAuth middleware that handles authentication for
  EpiTrax-originated sessions on the /view-data page
• On first visit, verifies the JWT passed via ?auth=, stores the auth token
  and ECR ID in httpOnly cookies, and redirects to a clean URL with no ?id= in
  the address bar
• On subsequent visits, verifies the JWT and internally rewrites the request
  so the page receives the ECR ID without it ever appearing in the browser URL
• Adds unit tests covering all auth paths and edge cases

Related Issue

Fixes #1438

Acceptance Criteria

• The ECR ID is not visible in the browser URL at any point after navigating
  from EpiTrax
• The correct ECR record is still loaded for the authenticated user

Additional Information

Anything else the review team should know?

Checklist

• If this code affects the other scrum team, have they been notified? (In Slack, as reviewers, etc.)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.11%. Comparing base (0ead7aa) to head (ee95fac).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1443      +/-   ##
==========================================
+ Coverage   85.91%   90.11%   +4.20%     
==========================================
  Files         259      180      -79     
  Lines       11705     6979    -4726     
  Branches     1378     1388      +10     
==========================================
- Hits        10056     6289    -3767     
+ Misses       1642      683     -959     
  Partials        7        7              

Flag	Coverage Δ
ecr-viewer	91.10% <100.00%> (+0.10%)	⬆️
ingestion	?
message-parser	?
orchestration	85.29% <ø> (ø)
trigger-code-reference	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[austin-hall-skylight]

I would prefer to unify this new middleware and withNbsAuth into something like withJwtAuth. We could change the cookie names and environment variable names to be more generic. I think it would be fine to remove the eCR ID from the URL when launching from NBS like EpiTrax wants and as for verifying the eCR ID in the token, we can just skip that if there isn't an ID in the token which would be the NBS flow. We would also take on the JWT authentication for /api/ routes from NBS which is something that we would need for purely EpiTrax-integrated instances. I'm happy to discuss this further if needed.