feat: implement authentication system for API Gateway and FileService

- Add JWT Bearer token validation to API Gateway with restricted CORS
- Add cookie-based JWT validation to FileService for browser image requests
- Create shared authentication infrastructure in FictionArchive.Service.Shared
- Update frontend to set fa_session cookie after OIDC login
- Add [Authorize] attributes to GraphQL mutations with role-based restrictions
- Configure OIDC settings for both services in docker-compose

Implements FA-17: Authentication for microservices architecture

docker-compose.yml

@@ -128,6 +128,9 @@ services:
       S3__AccessKey: ${S3_ACCESS_KEY}
       S3__SecretKey: ${S3_SECRET_KEY}
       Proxy__BaseUrl: https://files.orfl.xyz/api
+      OIDC__Authority: https://auth.orfl.xyz/application/o/fictionarchive/
+      OIDC__ClientId: fictionarchive-files
+      OIDC__Audience: fictionarchive-api
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
       interval: 30s
@@ -151,6 +154,9 @@ services:
     image: git.orfl.xyz/conco/fictionarchive-api:latest
     environment:
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
+      OIDC__Authority: https://auth.orfl.xyz/application/o/fictionarchive/
+      OIDC__ClientId: fictionarchive-api
+      OIDC__Audience: fictionarchive-api
     healthcheck:
       test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
       interval: 30s