[Feature] Accomodate HttpOnly `asf-urs` cookies

[asjohnston-asf]

At the request of the EDC security team, an upcoming release of TEA will now cause these ASF distribution endpoints to set the HttpOnly property of the asf-urs session cookie:

• https://sentinel1.asf.alaska.edu
• https://cumulus.asf.alaska.edu
• https://cumulus.earthdatacloud.nasa.gov
• https://nisar.earthdatacloud.nasa.gov

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#security

A cookie with the HttpOnly attribute can't be accessed by JavaScript, for example using Document.cookie; it can only be accessed when it reaches the server. Cookies that persist user sessions for example should have the HttpOnly attribute set — it would be really insecure to make them available to JavaScript. This precaution helps mitigate cross-site scripting (XSS) attacks.

As a result, the getUser() function will not be able to access the cookie payload. Vertex will need an alternate approach to verify that the user is logged in and to retrieve their user id/group memberships/etc.

I'll describe a possible implementation in my following comment.

[asjohnston-asf]

While the asf-urs cookie will no longer be accessible via javascript running in the browser, it will still be forwarded with requests to .asf.alaska.edu URLs as normal.

The front-end Discovery-SearchUI app is supported by the back-end Discovery-AppUserDataService app running at https://appdata.asf.alaska.edu/. The business logic currently in getUser() could be migrated to an additional endpoint, say https://appdata.asf.alaska.edu/foo. Rather than parsing the cookie contents in javascript, the front-end app would make a request to the back-end app. The back-end would check for the presence of the cookie and it's validity and return an appropriate JSON-formatted payload.