fix(FR-2627): forward api_version/date/endpoint to token_login

[nowgnuesLee]

Follow-up to #6864 (FR-2627).

Summary

The eduAppExtraParamSpec nuqs allowlist in react/src/routes.tsx was missing three keys that the pre-migration EduAppLauncher._token_login used to forward as part of the body:

• api_version
• date
• endpoint

The old implementation iterated every URLSearchParams entry and forwarded everything except sToken/stoken. The nuqs migration replaced that with an explicit allowlist and silently dropped these unlisted keys, so POST /server/token-login went out with a body that only contained { sToken, app, session_id, ... } — no signing envelope.

Backend.AI Manager auth hooks that validate the LMS-signed launcher URL against these fields would then reject the request as tampered, breaking sToken entry into /edu-applauncher and /applauncher.

Fix

Add api_version, date, endpoint to eduAppExtraParamSpec with a comment explaining why these must stay in the spec.

Test plan

• bash scripts/verify.sh → ALL PASS
• Manual: launch from LMS URL /edu-applauncher?sToken=<signed>&app=jupyterlab&api_version=...&date=...&endpoint=...&session_id=... and confirm POST /server/token-login body includes all five extra keys
• Verify E2E regression PR test(FR-2639): add E2E regression for sToken login boundary routes #6865 scenarios still pass on top of this fix

[nowgnuesLee]

• fix(FR-2627): forward api_version/date/endpoint to token_login #6893 👈 (View in Graphite)
• feat(FR-2627): migrate EduAppLauncher sToken path to STokenLoginBoundary #6864 : 1 other dependent PR (#6865 )
• feat(FR-2626): migrate LoginView sToken path to STokenLoginBoundary #6861
• refactor(FR-2616): rely on React Compiler ('use memo') for memoization #6857
• test(FR-2633): add unit tests for STokenLoginBoundary #6856
• feat(FR-2632): add default fallback and error card UI for STokenLoginBoundary #6855
• feat(FR-2631): implement STokenLoginBoundary component core #6853 : 1 other dependent PR (#6854 )
• feat(FR-2630): add useSToken hook with nuqs and stoken deprecation warning #6852
• feat(FR-2629): extend tokenLogin helper with optional extraParams #6851
• refactor(FR-2628): rename useEduAppApiEndpoint to useResolvedApiEndpoint #6850
• feat(FR-2618): add sToken login boundary component spec #6828
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• flow:merge-queue - adds this PR to the back of the merge queue
• flow:hotfix - for urgent changes, fast-track this PR to the front of the merge queue

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has required the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Coverage report for ./react

St.❔	Category	Percentage	Covered / Total
🔴	Statements	8.92%	1830/20515
🔴	Branches	8.1%	1165/14391
🔴	Functions	5.28%	294/5568
🔴	Lines	8.65%	1722/19908

Test suite run success

865 tests passing in 40 suites.

Report generated by 🧪jest coverage report action from ca03dc3

[nowgnuesLee]

Folded into #6864 via gt modify amend. The 3-line allowlist fix and the EduAppLauncher auth-step removal now ship together as part of the Story 3 migration, since both are continuations of FR-2642 scope.