[EPIC](greenhouse): Authentication - shared Authentication Context for Shell and Plugins

[ArtieReus]

Description

Extend the existing authentication implementation to provide a shared authentication context that is accessible to both the shell application and its attached plugins.

Acceptance Criteria

• Authentication Context & Access

  • Authentication data is exposed exclusively through a centralized, well-defined authentication context.
  • Authentication information is not passed via URLs, subdomains, query parameters, or path segments.
  • Plugins can only access authentication data explicitly exposed by the shared authentication context.
  • The shell application remains the single authority responsible for obtaining and refreshing authentication tokens.

• Token Handling

  • Authentication tokens are never persisted by plugins (e.g. localStorage, sessionStorage, cookies).
  • Authentication tokens are not logged, serialized, or exposed via client-side error messages.
  • Token lifetime and refresh logic are handled centrally and are not reimplemented by plugins.

• Isolation & Least Privilege

  • Plugins receive only the minimum authentication and user data required for their functionality.
  • Plugins cannot access authentication data belonging to other plugins or contexts.
  • Access to authentication data can be restricted or revoked on a per-plugin basis.

• Transport & Exposure

  • Authentication data is not exposed via browser URLs, iframe parameters, or global window variables.
  • Authentication context is shared using secure, in-memory mechanisms only.
  • Cross-origin access to authentication data is denied unless explicitly designed, documented, and approved.