Fix cookie policy for Seqera Platform JWT token refresh

[pditommaso]

Summary

• Updates lib-httpx dependency to version 2.1.0 across affected modules
• Configures CookiePolicy.ACCEPT_ALL for JWT token refresh functionality
• Fixes cookie handling in Tower and Wave clients for proper authentication token refresh

Changes

• modules/nf-commons: Bump lib-httpx from 2.0.0 to 2.1.0
• plugins/nf-tower: Update lib-httpx dependency and configure cookie policy for TowerClient, TowerFusionToken, and TowerXAuth
• plugins/nf-wave: Update lib-httpx dependency and configure cookie policy for WaveClient

Test plan

• Verify Tower authentication and token refresh works correctly
• Verify Wave service integration maintains proper authentication
• Run existing integration tests for Tower and Wave plugins

🤖 Generated with Claude Code

[pditommaso]

@jordeu any chance you can validate this?

[jordeu]

@jordeu any chance you can validate this?

Ok, let me launch a +1h pipeline to validate

[pditommaso]

I'll merge this, however validation would still be important

[jordeu]

Sorry, I couldn't validate before. I've checked with the 25.09.1-edge version, and we are still getting this exception after one hour of running:

WARN  nextflow.fusion.FusionEnvProvider - Unable to validate Fusion license - reason: Unauthorized [401] - Verify you have provided a Seqera Platform valid access token

[pditommaso]

umm, i've tested locally using a short lived jwt token and it was refreshing correctly

[jordeu]

umm, i've tested locally using a short lived jwt token and it was refreshing correctly

Yes, I also tested this part, but not altogether. Not sure what is going on, but that cookie problem might not be the full solution.

[pditommaso]

Re-opening this, @jorgee can you please have a look (context, @jordeu is reporting the jwt token is not updated with when checking the fusion license)

[pditommaso]

(oops, this is a PR and it cannot be re-opened)

[jorgee]

Looking at this now. Just to check if I correctly understood the issue. Nextflow needs a jwt token for validating the fusion license. This token expires, and the httpx client refreshes it, but something fails after refreshing that we get 401 when checking the license. It can be reproduced running a pipeline with fusion and wave enabled with a duration larger than 1 hour. Is it correct? or do I miss something?

[pditommaso]

Yeah, but it much simpler using a local platform instance and setting jwt lifespan to a few mins. Let's chat over slack