[backend/frontend] Fix localStrategy on force env (#15311)

[aHenryJard]

Proposed changes

• Move all authentication settings to a ts file
• Fix local auth
• Fix error log on OpenID issue
• Enable security policy in UI when force env is used

Related issues

• closes SSO: When using force env with local.config.disabled = true, local is not disabled #15311

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case (coverage and e2e)
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

[codecov]

Codecov Report

❌ Patch coverage is 91.60305% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 33.10%. Comparing base (ce80dd5) to head (0d9d2fc).
⚠️ Report is 41 commits behind head on master.

Files with missing lines	Patch %	Lines
...nts/settings/sso_definitions/LocalStrategyForm.tsx	0.00%	4 Missing ⚠️
...-platform/opencti-graphql/src/http/httpPlatform.js	0.00%	3 Missing ⚠️
...ql/src/modules/authenticationProvider/providers.ts	86.66%	2 Missing ⚠️
...onents/settings/sso_definitions/SSODefinitions.tsx	0.00%	1 Missing ⚠️
...cationProvider/authenticationProvider-migration.ts	80.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #15333      +/-   ##
==========================================
+ Coverage   32.62%   33.10%   +0.48%     
==========================================
  Files        3148     3158      +10     
  Lines      213790   216221    +2431     
  Branches    38776    39793    +1017     
==========================================
+ Hits        69749    71581    +1832     
- Misses     144041   144640     +599     

Flag	Coverage Δ
opencti-client-python	44.48% <ø> (-1.05%)	⬇️
opencti-front	2.87% <0.00%> (+<0.01%)	⬆️
opencti-graphql	69.45% <95.23%> (+1.60%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR updates how OpenCTI handles authentication provider initialization when app.authentication.force_env is enabled, aiming to correctly respect providers.local.config.disabled (while still keeping the “safety net” behavior), and refactors authentication-related settings mutations into a dedicated backend module. It also adjusts frontend settings screens to expose/lock relevant controls under env-managed auth and improves some auth callback logging.

Changes:

• Refactor built-in auth settings helpers/mutations into src/domain/setting-auth.ts and update backend imports accordingly.
• Rework initializeAuthenticationProviders to align local_auth with env configuration under force_env, and adjust the local “safety net” logic.
• Update frontend authentication settings UI behavior when auth is managed via environment configuration; add translations for the new tooltip.

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
opencti-platform/opencti-graphql/tests/03-integration/10-modules/authenticationProvider/providers-test.ts	Adds integration coverage for force-env/local-disabled behavior and setting-auth helpers
opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts	Updates import location for isLocalAuthEnabledInEnv
opencti-platform/opencti-graphql/src/types/settings.d.ts	Extends LocalAuthConfig type
opencti-platform/opencti-graphql/src/resolvers/settings.js	Switches auth settings mutations to domain/setting-auth
opencti-platform/opencti-graphql/src/modules/authenticationProvider/providers.ts	Updates provider initialization flow for force-env + local handling; logging tweak
opencti-platform/opencti-graphql/src/modules/authenticationProvider/providers-env-deprecated.js	Minor comment additions in env provider init
opencti-platform/opencti-graphql/src/modules/authenticationProvider/providers-configuration.ts	Wraps force-local flag; adds isLocalAuthEnabledInEnv helper
opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts	Reuses getProvidersFromEnvironment / isLocalAuthEnabledInEnv; updates auth settings mutation imports
opencti-platform/opencti-graphql/src/http/httpPlatform.js	Improves auth callback error logging context/messages
opencti-platform/opencti-graphql/src/domain/settings.js	Extracts auth provider list builder; adds getSettingsFromDatabase
opencti-platform/opencti-graphql/src/domain/setting-auth.ts	New module for auth settings mutations and provider listing
opencti-platform/opencti-front/src/private/components/settings/sso_definitions/SSODefinitions.tsx	Renders auth settings sections even under env-managed auth + shows alert
opencti-platform/opencti-front/src/private/components/settings/sso_definitions/LocalStrategyForm.tsx	Disables local toggle under env-managed auth and adds tooltip hint
opencti-platform/opencti-front/lang/front/*.json	Adds tooltip translation string; minor ordering/formatting adjustments

[CelineSebe]

Tested locally 👌 , is this error correct?

[marieflorescontact]

locally tested ok

[aHenryJard]

Tested locally 👌 , is this error correct?

Thanks, There is something to check with LDAP & local auth disabled.

[CelineSebe]

tested locally it's ok