feat: implement authentication system for API Gateway and FileService

- Add JWT Bearer token validation to API Gateway with restricted CORS
- Add cookie-based JWT validation to FileService for browser image requests
- Create shared authentication infrastructure in FictionArchive.Service.Shared
- Update frontend to set fa_session cookie after OIDC login
- Add [Authorize] attributes to GraphQL mutations with role-based restrictions
- Configure OIDC settings for both services in docker-compose

Implements FA-17: Authentication for microservices architecture

FictionArchive.Service.SchedulerService/GraphQL/Mutation.cs

@@ -1,6 +1,7 @@
 using System.Data;
 using FictionArchive.Service.SchedulerService.Models;
 using FictionArchive.Service.SchedulerService.Services;
+using HotChocolate.Authorization;
 using HotChocolate.Types;
 using Quartz;
 
@@ -10,18 +11,21 @@ public class Mutation
 {
     [Error<DuplicateNameException>]
     [Error<FormatException>]
+    [Authorize(Roles = "admin")]
     public async Task<SchedulerJob> ScheduleEventJob(string key, string description, string eventType, string eventData, string cronSchedule, JobManagerService jobManager)
     {
         return await jobManager.ScheduleEventJob(key, description, eventType, eventData, cronSchedule);
     }
 
     [Error<JobPersistenceException>]
+    [Authorize(Roles = "admin")]
     public async Task<bool> RunJob(string jobKey, JobManagerService jobManager)
     {
         return await jobManager.TriggerJob(jobKey);
     }
 
     [Error<KeyNotFoundException>]
+    [Authorize(Roles = "admin")]
     public async Task<bool> DeleteJob(string jobKey, JobManagerService jobManager)
     {
         bool deleted = await jobManager.DeleteJob(jobKey);