feat(FR-2627): migrate EduAppLauncher sToken path to STokenLoginBoundary

[nowgnuesLee]

Resolves FR-2641, FR-2642 (under Story FR-2627, Epic FR-2616)

Summary

Story 3 of Epic FR-2616: route /edu-applauncher and /applauncher now authenticate through STokenLoginBoundary before EduAppLauncher mounts. _token_login and the manual backend-ai-connected dispatch are removed from the component.

Scope

• Route wrapping (react/src/routes.tsx): both edu-app routes read sToken via useSToken() and URL params via useQueryStates(eduAppExtraParamSpec), then wrap EduAppLauncherPage with STokenLoginBoundary. The URL is intentionally not stripped on success (the launcher still passes sToken prop through for eduApp.get_user_credential and other params drive the launch sequence).
• EduAppLauncher cleanup (react/src/components/EduAppLauncher.tsx):
  • Removed _token_login() method and the URL parsing it owned.
  • Removed the manual document.dispatchEvent(new CustomEvent('backend-ai-connected')) call (the boundary now dispatches this exactly once).
  • Removed the auth stage from EduAppLaunchStage — authentication is no longer represented in the launcher's state machine or its stepper UI. Since the boundary runs connectViaGQL before EduAppLauncher mounts, the component always starts with a fully authenticated client.
  • Deleted _prepareProjectInformation() — connectViaGQL already populates groups / groupIds / current_group / current_group_id with a superset of the fields this helper fetched.
  • Proxy URL attach (_attachProxyURL) remains but is no longer labeled "auth"; failures now surface under the session step.
  • The stepper UI drops from 3 steps to 2 (Preparing Session → Launching App).
• extraParams allowlist (react/src/routes.tsx:eduAppExtraParamSpec): added api_version, date, endpoint. These are part of the LMS signing envelope forwarded with sToken in the old URL-scan based _token_login; the nuqs migration replaced the scan with an explicit allowlist and had dropped them, causing manager-side auth hooks that validate the signature against these fields to reject token_login as tampered.

Test plan

• bash scripts/verify.sh → ALL PASS
• Manual: launch from LMS URL /edu-applauncher?sToken=<signed>&app=jupyterlab&api_version=...&date=...&endpoint=...&session_id=... and confirm:
  • POST /server/token-login body contains all extra keys (check DevTools Network tab)
  • Stepper shows 2 steps ("Preparing Session", "Launching App") — no "Authentication" step
  • Successful launch opens the app in a new tab
• Regression scenarios covered by PR test(FR-2639): add E2E regression for sToken login boundary routes #6865 E2E: with / without session_id, invalid sToken surfaces stepper-integrated error

Checklist:

• Documentation
• Minium required manager version
• Specific setting for review (eg., KB link, endpoint or how to setup)
• Minimum requirements to check during review
• Test case(s) to demonstrate the difference of before/after

Stack

Story 3 of Epic FR-2616. See dev plan for the full story breakdown.

[nowgnuesLee]

• feat(FR-2627): migrate EduAppLauncher sToken path to STokenLoginBoundary #6864 : 2 dependent PRs (#6865 , #6893 ) 👈 (View in Graphite)
• feat(FR-2626): migrate LoginView sToken path to STokenLoginBoundary #6861
• refactor(FR-2616): rely on React Compiler ('use memo') for memoization #6857
• test(FR-2633): add unit tests for STokenLoginBoundary #6856
• feat(FR-2632): add default fallback and error card UI for STokenLoginBoundary #6855
• feat(FR-2631): implement STokenLoginBoundary component core #6853 : 1 other dependent PR (#6854 )
• feat(FR-2630): add useSToken hook with nuqs and stoken deprecation warning #6852
• feat(FR-2629): extend tokenLogin helper with optional extraParams #6851
• refactor(FR-2628): rename useEduAppApiEndpoint to useResolvedApiEndpoint #6850
• feat(FR-2618): add sToken login boundary component spec #6828
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• flow:merge-queue - adds this PR to the back of the merge queue
• flow:hotfix - for urgent changes, fast-track this PR to the front of the merge queue

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has required the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Coverage report for ./react

St.❔	Category	Percentage	Covered / Total
🔴	Statements	8.92% (+0.02% 🔼)	1831/20519
🔴	Branches	8.07% (+0% 🔼)	1165/14429
🔴	Functions	5.28% (+0% 🔼)	294/5567
🔴	Lines	8.65% (+0.02% 🔼)	1723/19908

Test suite run success

865 tests passing in 40 suites.

Report generated by 🧪jest coverage report action from 5716748

[Copilot]

Pull request overview

Routes for /edu-applauncher and /applauncher are updated so sToken-based authentication happens in STokenLoginBoundary before EduAppLauncher mounts, simplifying the launcher’s internal flow and moving URL-param parsing to a typed nuqs allowlist.

Changes:

• Wrap /edu-applauncher and /applauncher routes with STokenLoginBoundary, sourcing sToken via useSToken() and allowlisted query params via useQueryStates().
• Thread sToken and extraParams down through EduAppLauncherPage into EduAppLauncher (no more in-component URL parsing).
• Simplify EduAppLauncher state machine/stepper by removing the authentication stage and related legacy logic.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
react/src/routes.tsx	Adds eduAppExtraParamSpec allowlist and wraps edu-app routes in STokenLoginBoundary, passing captured sToken/extraParams through.
react/src/pages/EduAppLauncherPage.tsx	Updates page components to accept and forward sToken/extraParams props into the lazy launcher.
react/src/components/EduAppLauncher.tsx	Removes token-login + URL parsing from the launcher, shifts to prop-based params, and drops the auth stage from the stepper/state machine.

[yomybaby]

LGTM

[graphite-app]

Merge activity

• Apr 23, 10:31 AM UTC: yomybaby added this pull request to the Graphite merge queue.
• Apr 23, 10:47 AM UTC: Merged by the Graphite merge queue.