feat: adjust the playground to support the auth token

[unseen2004]

close #3140

Summary

Adds auth token support to the GraphQL playground at /v1/playground.

Users can now pass an auth token via the ?token=<value> URL query parameter,
which gets injected as an Authorization: Bearer <token> header into the GraphiQL UI.
This enables usage with external data providers like Quicknode, Ankr, etc.

Changes

• Accept an optional ?token= query parameter on the /v1/playground route
• When a token is present, build fresh GraphiQL HTML with the Authorization: Bearer header injected
• When no token is provided, fall back to the existing cached static HTML — no behavior change for current users
• Extracted a build_playground_html helper to avoid code duplication

Testing

• Existing behavior is unchanged when no token is passed
• Navigate to /v1/playground?token=my-api-key to verify the header is injected in GraphiQL requests

[fuel-cla-bot]

Thanks for the contribution! Before we can merge this, we need @unseen2004 to sign the Fuel Labs Contributor License Agreement.

[cursor]

PR Summary

Medium Risk
Adds a new way to inject Authorization headers into the in-browser GraphiQL UI via a URL query parameter, which can unintentionally expose tokens via URLs/logs/history. Runtime behavior for existing no-token users is unchanged due to cached HTML fallback.

Overview
Adds optional authentication preconfiguration for the GraphQL playground: /v1/playground now accepts ?token= and, when present, renders GraphiQL HTML that injects Authorization: Bearer <token> into requests.

Refactors playground rendering by extracting build_playground_html, while preserving the existing cached static HTML path for the common no-token case (so current behavior/perf remains the same).

^{Written by Cursor Bugbot for commit 391a485. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Reflected XSS via unsanitized token query parameter

High Severity

The token query parameter is taken directly from the URL and passed unsanitized into GraphiQLSource::build().header(), which embeds the value into a <script> tag in the HTML response. Since async-graphql uses Handlebars templating with JSON serialization for headers (and serde_json does not escape <, >, or / by default), an attacker can craft a URL like /v1/playground?token=</script><script>alert(1)// to inject arbitrary JavaScript — a classic reflected XSS. The token value needs validation or sanitization before being embedded in the HTML output.

Additional Locations (1)

• crates/fuel-core/src/graphql_api/api_service.rs#L398-L401