fix: login flows

[HatemMn]

This PR aims to formalise how the KMS ui connects, which login methods are supported and which are not supported

Features

The UI has now 4 known states, there is no other possible case :

1.No KMS server is reachable :

Displays a clear error message stating the issue

2.A KMS is there, but it was launched with no auth method

The behavior of the UI didn't change, it's just more explicit now :

3.KMS lanched with mTLS, and no JWT parameters provided

This was also implemented correctly, just undocumented.
To reproduce (non-fips !!!) :

[tls]
# non-FIPS images typically use PKCS#12
tls_p12_file = "repoFolder/kms/test_data/certificates/client_server/server/kmserver.acme.com.p12"
tls_p12_password = "password"
clients_ca_cert_file = "/repoFolder/kms/test_data/certificates/client_server/ca/ca.crt"

Skip the scary warning if using test certs
The password of this example is "password"

If you choose to not provide the client cert, you will just loop in the login page till you give one (old screenshot, i fixed the space issue) :

4.KMS lanched with JWT

Like usual
And no way to bypass it now

5.KMS lanched with both JWT and mTLS

Works ok but normally non uses this

Bug fixes

• in dev setup, the KMS wasn't able to login and crashed when the logic works. This has been fixed
• multiple fixes done directly on oauth interface mostly related to dev only bugs
• take away that "JWT is enabled" message

Docs

• documented all of the above

[HatemMn]

shows in duplicate in prod

[Copilot]

Pull request overview

This PR formalizes the Cosmian KMS Web UI connection/authentication flows by making the UI explicitly detect server auth mode (none / JWT(OIDC) / mTLS) and adjusting routing + messaging accordingly, alongside documentation and E2E stability updates.

Changes:

• Add explicit “cannot connect” handling and refine routing/login behavior for JWT and mTLS modes.
• Improve UX messaging (no-auth warning banner, clearer mTLS failure feedback) and remove the Sidebar JWT warning block.
• Update E2E navigation waiting logic and expand docs/changelog to document the supported UI login flows.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
ui/tests/e2e/helpers.ts	Adds an additional wait condition after networkidle to reduce E2E flakiness.
ui/src/utils/utils.ts	Changes auth-method typing/behavior and logs errors when auth-method detection fails.
ui/src/pages/LoginPage.tsx	Adds mTLS “ACCESS KMS” certificate-validation attempt and shows an Alert on failure.
ui/src/contexts/AuthContext.tsx	Removes the react-refresh/only-export-components eslint disable.
ui/src/components/layout/Sidebar.tsx	Removes JWT warning banner and keeps Create/Import enablement logic based on permissions.
ui/src/components/layout/MainLayout.tsx	Adds a “no-auth” warning banner and refines WASM warning styling/text wrapping.
ui/src/App.tsx	Centralizes auth-method detection, adds “cannot connect” screen, and updates login/main routing rules.
nix/expected-hashes/ui.pnpm.linux.sha256	Updates Nix UI pnpm vendor hash for Linux.
nix/expected-hashes/ui.pnpm.darwin.sha256	Updates Nix UI pnpm vendor hash for macOS.
documentation/docs/configuration/ui.md	Documents UI access + auth-mode-dependent login flows, including mTLS browser cert setup.
cli_documentation/docs/index.md	Adds a Web UI section describing access URL and high-level auth behavior.
CHANGELOG/feat_fix_auth_issues.md	Adds a branch changelog entry describing UI auth flow changes and docs updates.
.github/copilot-instructions.md	Clarifies canonical instructions file and improves Nix hash mismatch guidance.

Comments suppressed due to low confidence (1)

ui/src/components/layout/Sidebar.tsx:85

• fetchAuthMethod now returns undefined on error, but this effect only treats null as “could not be determined”. When method is undefined, the code falls into fetchCreatePermission() and ends up disabling Create/Import (or doing an unnecessary call) even though the comment says undetermined should be granted. Handle undefined explicitly (or change fetchAuthMethod to throw / return a separate Result type).

            let method: AuthMethod | null = null;
            try {
                method = await fetchAuthMethod(serverUrl);
            } catch {
                /* ignore */
            }
            // In no-auth mode ("None") grant create/import access immediately
            // without calling the permissions API. Also grant if the auth method
            // could not be determined (e.g. server not yet reachable).
            if (method === "None" || method === null) {
                processMenuItems(true);
            } else {
                fetchCreatePermission();
            }

[Copilot]

<Route path="/login" element={<Navigate to="locate" .../>}> uses a relative target, which will resolve to /login/locate (non-existent) rather than /locate. Use an absolute /locate (or a ../locate relative) so the redirect works when users hit /login while already authenticated or in no-auth mode.

Suggested change

	<Route path="/login" element={<Navigate to="locate" replace />} />
	<Route path="/login" element={<Navigate to="/locate" replace />} />