Security improvements:
- Add structured logging with sanitized error messages
- Remove hardcoded CloudFront URL fallback (requires proper config)
- Move SimpleCookie import to module level for better performance

Frontend enhancements:
- Add 30-second timeout to token exchange requests
- Fix useEffect dependency array in useClient hook
- Implement OAuth callback handler with PKCE validation

Infrastructure updates:
- Configure auth handler Lambda for cookie-based authentication
- Add API Gateway routes for token exchange, logout, and userinfo
- Improve CloudFront URL parsing documentation

All changes pass Ruff linting and formatting checks.

- Backend logout_handler returns Okta logout URL with id_token_hint
- Frontend redirects to Okta /v1/logout to end SSO session
- Added cloudfront_url config fallback for CLOUDFRONT_URL env var

## Checkov Fixes (5 issues resolved)

### 1. CKV_AWS_158: CloudWatch Log Group KMS Encryption ✓
- Add dedicated KMS key (logs_kms_key) for CloudWatch Logs encryption
- Configure key policy to allow CloudWatch Logs service access
- Apply encryption to auth handler log group
- Enable key rotation for compliance

### 2. CKV_AWS_115: Lambda Concurrent Execution Limit ✓
- Set reserved_concurrent_executions=100 for auth handler Lambda
- Prevents runaway costs from unlimited concurrent executions
- Provides predictable capacity planning
- Protects against DDoS-style attacks

### 3-5. CKV_AWS_59: API Gateway Authorization ✓
- Add suppression comments for 3 auth endpoints:
  * /auth/token-exchange (POST)
  * /auth/logout (POST)
  * /auth/userinfo (GET)
- These endpoints are intentionally public by design for OAuth flow
- Protected by multiple security layers:
  * WAF rules (rate limiting, IP filtering)
  * CORS restrictions (only allowed origins)
  * Lambda-side validation (cookie/token validation)
- OAuth callback endpoint must be publicly accessible
- Logout must work with expired tokens
- Userinfo validates cookies internally before returning data

## Security Posture
- Auth handler logs now encrypted at rest with KMS (AES-256)
- Key rotation enabled for compliance
- Lambda concurrency limited to prevent cost overruns
- Public auth endpoints documented and justified
- Defense-in-depth approach maintained (WAF + CORS + Lambda validation)

## Impact
- No breaking changes
- All new resources properly secured
- Passes all Checkov security scans for new code

…erability

Update serialize-javascript from 6.0.2 to ^7.0.3 to address GHSA-5c6j-r48x-rmvq
(CVE-2020-7660 incomplete fix). The vulnerability allows RCE via RegExp.flags
and Date.prototype.toISOString() when attacker controls input to serialize().

Changes:
- Add serialize-javascript ^7.0.3 as direct dependency
- Add top-level override for serialize-javascript
- Add nested override for rollup-plugin-terser dependency
- Add resolution for yarn compatibility
- Regenerate lock files

Add auth API Gateway methods to checkov baseline. These endpoints
intentionally have no API Gateway authorization because they are
part of the OAuth authentication flow:

- /auth/token-exchange - exchanges authorization code for tokens
- /auth/logout - clears httpOnly cookies
- /auth/userinfo - returns user info from validated cookies

Security is enforced at the Lambda level through:
- CORS restrictions to CloudFront domain
- Cookie validation and Okta token verification
- WAF rules (when configured)

Also baseline the new AuthHandler Lambda function for standard
Lambda checks (CKV_AWS_115, CKV_AWS_116, CKV_AWS_158).

…lity

The latest react-apexcharts (1.4.x+) requires apexcharts>=4.0.0 which
conflicts with the project's apexcharts@^3.33.2. Pin to 1.3.9 which
supports apexcharts@^3.18.0.

- Backend: Check token expiration in userinfo endpoint and return exp claim
- Frontend: Set up timer to auto-logout when token expires (with 30s buffer)
- Clear timer on logout and component unmount
- Mimics Cognito's automatic session expiration behavior

- Add nosemgrep comment to suppress urllib false positive in auth_handler
- Add new logout endpoint resource ID to checkov baseline
- Add underscore resolution to fix npm-audit vulnerability
- Regenerate package-lock.json to sync with package.json

Extract exp claim from id_token and use it for cookie max_age instead
of hardcoded 1 hour. This ensures cookie lifetime matches Okta's token
settings (30 min for Prod, 1 hour for Dev).

Validate that CUSTOM_AUTH_URL uses https:// scheme before making
requests to prevent file:// or other dangerous schemes (Bandit B310).

Add overrides and resolutions for transitive dependency vulnerabilities:
- flatted ^3.4.2 (CVE-1114526: DoS via unbounded recursion)
- serialize-javascript ^7.0.4 (CVE-1113686: RCE vulnerability)
- svgo ^2.8.1 (CVE-1114152: DoS via entity expansion)
- fast-xml-parser 5.5.6 (CVE-1114772: numeric entity expansion bypass)

These are pre-existing vulnerabilities in react-scripts and eslint
transitive dependencies, not caused by this PR's changes.

- Logout: Use silent logout (clear cookies only) without redirecting
  to Okta logout endpoint. Matches previous signoutSilent() behavior.
  No Okta Sign-out redirect URI configuration needed.

- ReAuth: Add zIndex 9999 to ReAuth modal so it appears on top of
  other dialogs like delete confirmation.