feat: switch bootstrap to 'None' authentication provider

[okurz]

Motivation:
The single-instance container setup was using the 'Fake' authentication method,
which is less ideal for modern development/testing than the newer 'None' method.
'None' provides better defaults and doesn't require manual API key injection or
explicit login.

Design Choices:

• Updated script/openqa-bootstrap to configure method = None.
• Removed manual database injection and random key generation since None handles
  this automatically.
• Updated documentation to reflect these changes and promote None over Fake.

Benefits:
Simplified bootstrap process, better alignment with recommended development and
testing practices.

Related issue: #7297

[github-actions]

Great PR! Please pay attention to the following items before merging:

Files matching docs/*.md:

• Consider generating documentation locally to verify it is rendered correctly. See https://open.qa/docs/#making-documentation-changes

This is an automatically generated QA checklist based on modified files.

[Martchus]

The PR description mentions that this is motivated by improving the single instance container but the change itself it changing the bootstrap script. And it does it in a way that makes it less secure. If this is the work of AI, I really suggest you review these changes yourself before creating a PR.

[Martchus]

This generated a new, random key and configured it. So one ended up with a more secure setup than with with your change. The only missing step to make it secure would be switching the auth method for the web UI.

So I'm not sure whether that's a change for the better.

[kalikiana]

I kind of agree. On the other hand changing the method away from None/Fake is necessary anyway?

[Martchus]

It is a bit weird that we need this file at all with the None provider. Shouldn't None also mean that no API key/secret are required when using openqa-cli?

[okurz]

The PR description mentions that this is motivated by improving the single instance container but the change itself it changing the bootstrap script. And it does it in a way that makes it less secure. If this is the work of AI, I really suggest you review these changes yourself before creating a PR.

No, I got completely tunnel sighted and have forgot that we use openqa-bootstrap outside the single instance container :D

[okurz]

The PR description mentions that this is motivated by improving the single instance container but the change itself it changing the bootstrap script. And it does it in a way that makes it less secure.

Actually, can you comment what you mean is making this less secure? In before we used the fake authentication means everyone is an admin. How is it less secure now?

[Martchus]

The PR description mentions that this is motivated by improving the single instance container but the change itself it changing the bootstrap script. And it does it in a way that makes it less secure.

Actually, can you comment what you mean is making this less secure? In before we used the fake authentication means everyone is an admin. How is it less secure now?

Read #7331 (comment). Before one was only one step away from a secure setup (changing the auth provider). Now one also needs to generate a new key/secret.

[okurz]

The PR description mentions that this is motivated by improving the single instance container but the change itself it changing the bootstrap script. And it does it in a way that makes it less secure.

Actually, can you comment what you mean is making this less secure? In before we used the fake authentication means everyone is an admin. How is it less secure now?

Read #7331 (comment). Before one was only one step away from a secure setup (changing the auth provider). Now one also needs to generate a new key/secret.

But reusing a key that was previously openly available is also a bad idea

[codecov]

Codecov Report

❌ Patch coverage is 96.22642% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 99.99%. Comparing base (590397c) to head (1b1d5c3).
⚠️ Report is 21 commits behind head on master.

Files with missing lines	Patch %	Lines
lib/OpenQA/Shared/Controller/Auth.pm	50.00%	2 Missing ⚠️

❌ Your project check has failed because the head coverage (99.99%) is below the target coverage (100.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##            master    #7331      +/-   ##
===========================================
- Coverage   100.00%   99.99%   -0.01%     
===========================================
  Files          419      419              
  Lines        44529    44556      +27     
===========================================
+ Hits         44529    44554      +25     
- Misses           0        2       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Martchus]

Looks generally good with supplying no key at all.

[kalikiana]

Read #7331 (comment). Before one was only one step away from a secure setup (changing the auth provider). Now one also needs to generate a new key/secret.

But reusing a key that was previously openly available is also a bad idea

This is exactly the discussion we already had drafting None authentication. Fake is not secure. The login route can be used even after a key is present.

The only difference here is explicitly using a provider that consistently disabling authentication. Security by obscurity is not helping us imho (my only remark above was about documentation in that regard)