fix/client/dev: update proxy overwrite to respect authProviders

[bobheadxi]

Closes https://linear.app/sourcegraph/issue/CORE-213

The existing overwrite stripping window.context.authProviders sourced from a proxied API down to only built-in providers makes it impossible to reliably run sg start web-standalone against Sourcegraph.com (and likely other Sourcegraph instances). The docstring says:

Only username/password auth-provider provider is supported with the standalone server.

However, you can log in with other OAuth2 providers locally, so it doesn't make sense to remove them from the context. This PR removes the overwrite so that we can log in to Sourcegraph.com with a locally running web app, and talk to Cody and all that good stuff.

How to log in to OAuth providers with sg start web-standalone

IIRC what happens:

1. Click "Sign in" -> go to OAuth2 provider -> log in
2. OAuth2 provider issues callback to the Sourcegraph instance, telling it that you logged in
3. OAuth2 provider redirects you to the instance to confirm your session - for SAMS in dotcom:

https://sourcegraph.com/.auth/callback?code=sams_ac_...

This redirect will surface an error, like so:

Authentication failed. Try signing in again (and clearing cookies for the current site). The error was: state parameter did not match the expected value (possible request forgery).

This happens because you get redirected to an absolute URL, which will be sourcegraph.com (the upstream Sourcegraph instance), which won't match the cookie you get issued (sourcegraph.test). We just need to make sure it matches and send the code to the callback through our local proxy:

- https://sourcegraph.com/.auth/callback?code=sams_ac_...
+ https://sourcegraph.test:3443/.auth/callback?code=sams_ac_...

And everything will work :) I confirmed this works for e.g. logging into S2 with GitHub as well, using the callback issued by GitHub.

We cannot make this the default behaviour, because the redirect URL is usually configured in the OAuth provider. An example GitHub OAuth application configuration:

Note their guidance on valid values: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#redirect-urls - we must provide a single, absolute URL

This is very similar to the process used to log in to private Cloud instances, e.g. https://cloud-ops.sgdev.org/dashboard/environments/prod/instances/src-bd02273f6b90d1d1beee#log-in-to-the-instance-ui (scroll to bottom of this section), which indicates we've thought about similar cases before and found that this was the best way

Test plan

https://www.loom.com/share/6cb3b3ca475b4b9392aa4b11938e76e6?sid=d99fcb59-4308-45c7-9f68-af9ac44c4e7e

[fkling]

Are you saying you have to manually update the URL to match the original domain? Is there any way to make this work by default?

[bobheadxi]

@fkling I thought about that but I don't think it's possible, by design - it's generally hardcoded when you create an integration in the provider side, see my updated PR description. We also have to use a similar workaround to log in to customer Cloud instances.

We could special-case it in SAMS to allow a configurable redirect URL provided by the client but I'm not sure that's secure, and nothing in the OAuth2 spec seems to accommodate something like that

Note that you generally only have to do this once, until your session expires, which IIRC is 30 days