[APPS] Add OAuth request auth support

[sdkennedy2]

Motivation

Apps flows should be able to use Datadog OAuth instead of requiring API/app keys. This follows the request-auth plumbing introduced in the downstack PR and keeps OAuth isolated to a second, easier-to-review change.

Changes

Adds Datadog Authorization Code + PKCE support in core request auth. Core now owns OAuth config derivation from site, browser callback handling, token exchange, refresh, OS keychain caching, and bearer header injection.

Apps adds apps.authOverride.method and APPS_AUTH_METHOD env support. When the method is oauth, Apps composes requests through withOAuthAndApiAuth; otherwise it preserves the existing API/app key path:

const doApiRequest = withOAuthAndApiAuth({
  auth,
  log,
  method: options.method,
})(withBaseUrl(`https://api.${auth.site}`)(doRequest));

The OAuth dependencies move to core because the helper is now core-owned. Apps keeps small compatibility re-exports for OAuth helpers.

QA Instructions

For manual verification, run an Apps upload with apps.authOverride.method: 'oauth' or DD_APPS_AUTH_METHOD=oauth and confirm the browser authorization flow completes and the app upload succeeds without API/app keys.

Blast Radius

This affects Apps plugin upload and local dev-server backend execution paths only when OAuth auth is selected. Existing API/app key behavior remains the default path.

Documentation

• How to reliably make frontend production changes
• PR Description Guidelines
• Deploy steps

[sdkennedy2]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• [APPS] Add OAuth request auth support #397 👈 (View in Graphite)
• [APPS] Add core request auth plumbing #396
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[sdkennedy2]

@codex review
@cursor review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce9e4273d6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Refresh OAuth auth after cached token expires

When OAuth is selected, the first successful getOAuthToken() result is cached in oauthRequestAuthPromise and reused for every later request, so long-lived contexts such as the Vite dev server middleware keep sending the same bearer token after its expiresAt has passed. Because getOAuthToken() only refreshes cached credentials when it is called, users who leave vite dev running past the access-token lifetime will get 401s on backend-function requests instead of transparently refreshing.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Quote OAuth URLs before invoking cmd

On Windows, the OAuth authorization URL contains query-string & separators, but it is passed unquoted through cmd /c start; Microsoft documents that & is a special cmd character that must be escaped or quoted (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd). For Windows users choosing OAuth, cmd will split the URL at the first &, so the browser opens a truncated authorization URL and the auth flow cannot complete reliably.

Useful? React with 👍 / 👎.

[sdkennedy2]

This allows us to bind auth functionality to the doRequest, making it easy to swap out either just api support or api and oauth support.