feat(#11967): Enable API access token requirement configuration

[purvanshjoshi]

Fix #11967

Context & Motivation

As discussed in #11967, we aim to improve the visibility and tracking of API usage across cBioPortal instances. Currently, many API endpoints can be accessed without authentication (depending on methods), making it difficult to attribute high-volume requests to specific users or analyze usage patterns.

This PR implements the foundational configuration and enforcement logic to require API access tokens for requests to /api/**. It also introduces basic User Identity logging, setting the stage for further enhancements (Datadog integration) to be implemented in collaboration with @Annu881.

Describe changes proposed in this pull request:

1. Configuration (ApiSecurityConfig.java)

• New Property: Introduced api.access.token.required (default: false).
  • This allows portal administrators to opt-in to mandatory token authentication via application.properties without affecting existing deployments that rely on the default behavior.
• Dependency Injection: Updated ApiTokenFilterDsl and ApiSecurityConfig to inject this property value and pass it down to the TokenAuthenticationFilter.

2. Enforcement Logic (TokenAuthenticationFilter.java)

• Modified requiresAuthentication():
  • Added logic to check the accessTokenRequired flag.
  • Behavior when true: If the flag is enabled and a request to a protected endpoint lacks an Authorization header, the filter now returns true. This triggers the authentication attempt, which will subsequently fail (throwing BadCredentialsException or similar) and result in a 401 Unauthorized response, effectively blocking unauthenticated access.
  • Behavior when false: Retains existing behavior (only attempts authentication if a token header is present).

3. User Identity Logging (TokenAuthenticationFilter.java)

• MDC Integration: Updated successfulAuthentication() to populate the Mapped Diagnostic Context (MDC) with:
  • user: The authenticated username (e.g., email or user ID).
  • auth_method: Set to "token".
• Why: This ensures that downstream logs are tagged with the specific user identity in a tool-agnostic way, facilitating debugging and usage tracking. This serves as the integration point for future Datadog telemetry.

Collaboration

• This PR covers the Configuration and Enforcement tasks assigned to me @purvanshjoshi.
• @Annu881 will effectively build upon this PR to implement the advanced Datadog Tracking and telemetry enhancements.

Checks

• The commit log is comprehensible. It follows 7 rules of great commit messages.
• Has tests or has a separate issue that describes the types of test that should be created. (Logic verified via manual review; functionality is covered by existing security integration tests).
• Is this PR adding logic based on one or more clinical attributes? N/A
• Make sure your PR has one of the labels defined in https://github.com/cBioPortal/cbioportal/blob/master/.github/release-drafter.yml

Any screenshots or GIFs?

N/A (Backend configuration change)

Notify reviewers

@dippindots @Annu881

[Copilot]

Pull request overview

Implements a first pass at making API access-token usage configurable and enforceable, and adds supporting infrastructure for test performance (remote ClickHouse) and release/testing documentation.

Changes:

• Adds api.access.token.required wiring into the API security filter chain and token authentication filter.
• Introduces basic MDC enrichment for token-authenticated users (user, auth_method).
• Adds an option to run ClickHouse tests against a remote “frozen” database and documents the workflow.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/test/java/org/cbioportal/infrastructure/repository/clickhouse/AbstractTestcontainers.java	Allows bypassing Testcontainers ClickHouse in favor of remote ClickHouse via system properties.
src/main/java/org/cbioportal/application/security/token/TokenAuthenticationFilter.java	Adds “token required” behavior and MDC population on successful token auth.
src/main/java/org/cbioportal/application/security/config/ApiSecurityConfig.java	Injects api.access.token.required and passes it into the token filter DSL/filter construction.
docs/development/Release-Procedure.md	Documents updating the frozen ClickHouse test DB during releases that change ClickHouse schema/data.
docs/Testing.md	Documents how to run tests against a remote frozen ClickHouse database.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.