Do not check cookie authentication for /auth/saml/{configuration}/request/

[rolodato]

Is your feature request related to a problem? Please describe.

The Django SECRET_KEY is used as the JWT signing secret when COOKIE_AUTH_ENABLED is set but no COOKIE_AUTH_JWT_SIGNING_KEY was provided:

flagsmith/api/app/settings/common.py

Line 837 in 2fe4e02

"SIGNING_KEY": env.str("COOKIE_AUTH_JWT_SIGNING_KEY", default=SECRET_KEY),

Our default Helm values does not define a secret key, so one gets randomly generated on each deployment: https://github.com/Flagsmith/flagsmith-charts/blob/65ce6fd59b9dc3189e44cc8f4766aa5d8e468724/charts/flagsmith/values.yaml#L39-L44

Because the /auth/saml/{configuration}/request/ endpoint validates cookies, the following can happen:

1. Log in via SSO - a JWT cookie gets set
2. Redeploy Flagsmith without a secret key - another secret key gets generated
3. Try to log in via SSO again - because the user still has a cookie set with the old secret key, this gets rejected by /auth/saml/{configuration}/request and the user cannot log in until they clear their cookies

This is technically not a bug since users should be setting secret keys, but it is a quality-of-life improvement to avoid confusing behaviour when testing Flagsmith infrastructure.

Describe the solution you'd like.

/auth/saml/{configuration}/request is a public endpoint, so it should not validate cookies at all.

Describe alternatives you've considered

Alternatively, clear cookies even before login if they were rejected by having an invalid signature. This is a possibly more intrusive change, and is already handled correctly by the frontend after login.

Additional context

No response