Support lakectl login: client, controller stub (#9644)

* Add LoginToken support to OpenAPI

- OpenAPI support
- Login tokens abstraction
- Controller hookup to login tokens abstraction

(This feature is unimplemented in base lakeFS, and only a trivial login
tokens abstraction exists here.)

* Add releaseTokenToMailbox API

This is typically only called by the browser -- but it's still handled as
OpenAPI in the controller.

* Add `lakectl login` client code

* Release token correctly, with usable web page

* make gen

* [lint] Make govet & golanci-lint pass again

* Open browser at login URL

* Update `lakectl help` golden file

* Use RetryClient in lakectl login

Use the same RetryClient type as the rest of lakeFS, only with a different
retry policy - one that retries status code 404.  This involves refactoring
getClient... so do that.

* Use different (longer) login retries config

* Explicitly redirect to login page from controller during lakectl login

releaseToken is _not_ part of the UI, and there is no implicit redirection
there from middleware.  Instead, redirect there from the controller.

* golangci-lint

* [bug] Copilot fixes: HTTP header issues, nit in doc

* [CR] Limit loginRequestToken length; extract X-Lakefs-Mailbox header

* [CR] Retrieve login URL from config when possible

* [CR] Fix bug: full redirect after login

Authentication changed in #9593.  This broke the ability to redirect to a
non-React URL after logging in -- which @Isan-Rivkin discovered broke
`lakectl login`.

Restore the ability to go to the particular route needed under /api/v1.
Checked by re-logging-in.

* [bug] Correctly encode "next" URL

It's a query param that contains "/" and ":" and things - encode it as such!

* [bug] Fix golangci-lint: actually copy URL

Author: arielshaqed

api/swagger.yml

@@ -3217,6 +3217,103 @@ paths:
         default:
           $ref: "#/components/responses/ServerError"
 
+  /auth/get-token/start:
+    get:
+      tags:
+        - auth
+        - experimental
+      security: []              # This a way to log in, no auth available.
+      operationId: getTokenRedirect
+      summary: start acquiring a token by logging in on a browser
+      responses:
+        303:
+          description: login on this page, await results on the mailbox URL
+          headers:
+            Location:
+              schema:
+                type: string
+              description: open this URL on the browser
+            X-LakeFS-Mailbox:
+              schema:
+                type: string
+              description: GET the token from this mailbox.  Keep the mailbox SECRET!
+        401:
+          $ref: "#/components/responses/Unauthorized"
+        429:
+          description: too many requests
+        501:
+          description: Not implemented in this edition.
+          $ref: "#/components/responses/NotImplemented"
+        default:
+          $ref: "#/components/responses/ServerError"
+
+  /auth/get-token/mailboxes/{mailbox}:
+    parameters:
+      - in: path
+        name: mailbox
+        required: true
+        schema:
+          type: string
+        description: mailbox returned by getTokenRedirect
+    get:
+      tags:
+        - auth
+        - experimental
+      security: []              # This a way to log in, no auth available.
+      operationId: getTokenFromMailbox
+      summary: receive the token after user has authenticated on redirect URL.
+      responses:
+        200:
+          description: user successfully logged in
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/AuthenticationToken"
+        401:
+          description: bad mailbox or user has not logged in yet
+          $ref: "#/components/responses/Unauthorized"
+        404:
+          description: not found or user has not logged in yet
+          $ref: "#/components/responses/NotFound"
+        429:
+          description: too many requests
+        501:
+          description: not implemented in this edition.
+          $ref: "#/components/responses/NotImplemented"
+        default:
+          $ref: "#/components/responses/ServerError"
+
+  /auth/get-token/release-token/{loginRequestToken}:
+    parameters:
+      - in: path
+        # The mailbox is secret.  It is identified by the loginRequestToken - a JWT which is
+        # _not_ secret.  So this JWT can safely go in a header.
+        name: loginRequestToken
+        required: true
+        schema:
+          type: string
+          maxLength: 1024
+        description: login request token returned by getTokenRedirect.
+    get:                        # Called by opening a URL on the browser!
+      tags:
+        - auth
+        - experimental
+      operationId: releaseTokenToMailbox
+      summary: release a token for the current (authenticated) user to the mailbox of this login request.
+      responses:
+        204:
+          description: token released
+        401:
+          description: bad token or user has not logged in yet
+          $ref: "#/components/responses/Unauthorized"
+        429:
+          description: too many requests
+        501:
+          description: not implemented in this edition.
+          $ref: "#/components/responses/NotImplemented"
+        default:
+          $ref: "#/components/responses/ServerError"
+
   /repositories:
     get:
       tags: