Fixes to auth flow

[camd]

Two Auth fixes in this PR:

• Contain auth flow in popup window
• Cookie accumulation fix

External Taskcluster issue also needed for full fix to the TC tab issue:

• TC OAuth third-party flow opens dashboard tab in opener window — breaks popup-based auth flows taskcluster/taskcluster#8357

The login flow (Auth0 + Taskcluster OAuth) now runs entirely in a popup window instead of opening new tabs in the main browser window.

Changes

• Login.jsx: Open /login in a popup window instead of a new tab
• LoginCallback.jsx: Navigate to TC auth within the same popup window; close the popup (with redirect fallback) when done
• TaskclusterCallback.jsx: Always attempt window.close() first, fall back to redirect after 500ms

How it works

1. "Login / Register" opens a popup window
2. Auth0 login + 2FA happens in the popup
3. LoginCallback navigates the popup to TC OAuth
4. TC redirects back to /taskcluster-auth, which stores credentials and closes the popup
5. The original Treeherder tab detects the login via storage events and updates the UI

Known limitation

Taskcluster's OAuth flow opens its dashboard (firefox-ci-tc.services.mozilla.com) in a new tab in the main window during authorization. This is a TC-side behavior we can't control. A request has been filed with the Taskcluster team to suppress this.

taskcluster/taskcluster#8357

Cookie accumulation fix (Bug 1749962)

The auth0-js library creates com.auth0.auth.{state} cookies for each token renewal attempt. On success these are cleaned up, but on failure they linger. Over time — especially with multiple tabs — hundreds of stale cookies accumulate on the treeherder.mozilla.org domain. Once the total cookie size exceeds browser limits, it causes further renewal failures, creating a feedback loop that logs users out every 15-30 minutes.

Two changes address this:

• Switch from renewAuth to checkSession: The checkSession method uses the web_message (postMessage) flow and explicitly cleans up its state cookies even on failure. This prevents future accumulation.
• Proactive cookie cleanup: A new cleanupAuth0Cookies() function removes all stale com.auth0.auth.* cookies on page load, before each renewal, and on logout. This clears the backlog for users who already have accumulated cookies from before this fix.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 78.72340% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.75%. Comparing base (5a46c9f) to head (c47a1b6).
⚠️ Report is 16 commits behind head on master.

Files with missing lines	Patch %	Lines
ui/login-callback/LoginCallback.jsx	0.00%	3 Missing ⚠️
ui/shared/auth/Login.jsx	40.00%	2 Missing and 1 partial ⚠️
.../taskcluster-auth-callback/TaskclusterCallback.jsx	0.00%	2 Missing ⚠️
ui/helpers/auth.js	90.00%	1 Missing ⚠️
ui/shared/auth/AuthService.js	96.29%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9286      +/-   ##
==========================================
+ Coverage   82.66%   82.75%   +0.08%     
==========================================
  Files         610      610              
  Lines       34598    34634      +36     
  Branches     3338     3353      +15     
==========================================
+ Hits        28602    28660      +58     
+ Misses       5649     5634      -15     
+ Partials      347      340       -7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Archaeopteryx]

timeout is never negative because of the max(0, ... call above.