feat: implement authentication system for API Gateway and FileService

- Add JWT Bearer token validation to API Gateway with restricted CORS
- Add cookie-based JWT validation to FileService for browser image requests
- Create shared authentication infrastructure in FictionArchive.Service.Shared
- Update frontend to set fa_session cookie after OIDC login
- Add [Authorize] attributes to GraphQL mutations with role-based restrictions
- Configure OIDC settings for both services in docker-compose

Implements FA-17: Authentication for microservices architecture

fictionarchive-web/src/auth/AuthContext.tsx

@@ -2,6 +2,29 @@ import { createContext, useCallback, useContext, useEffect, useMemo, useRef, use
 import type { User } from 'oidc-client-ts'
 import { isOidcConfigured, userManager } from './oidcClient'
 
+// Cookie management helper functions
+function setCookieFromUser(user: User) {
+  if (!user?.access_token) return
+  
+  const isProduction = window.location.hostname !== 'localhost'
+  const domain = isProduction ? '.orfl.xyz' : undefined
+  const secure = isProduction
+  const sameSite = isProduction ? 'None' : 'Lax'
+  
+  // Set cookie with JWT token from user
+  const cookieValue = `fa_session=${user.access_token}; path=/; ${secure ? 'secure; ' : ''}samesite=${sameSite}${domain ? `; domain=${domain}` : ''}`
+  document.cookie = cookieValue
+}
+
+function clearFaSessionCookie() {
+  const isProduction = window.location.hostname !== 'localhost'
+  const domain = isProduction ? '.orfl.xyz' : undefined
+  
+  // Clear cookie by setting expiration date in the past
+  const cookieValue = `fa_session=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT${domain ? `; domain=${domain}` : ''}`
+  document.cookie = cookieValue
+}
+
 type AuthContextValue = {
   user: User | null
   isLoading: boolean
@@ -26,7 +49,12 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     userManager
       .getUser()
       .then((loadedUser) => {
-        if (!cancelled) setUser(loadedUser ?? null)
+        if (!cancelled) {
+          setUser(loadedUser ?? null)
+          if (loadedUser) {
+            setCookieFromUser(loadedUser)
+          }
+        }
       })
       .finally(() => {
         if (!cancelled) setIsLoading(false)
@@ -41,8 +69,14 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     const manager = userManager
     if (!manager) return
 
-    const handleLoaded = (nextUser: User) => setUser(nextUser)
-    const handleUnloaded = () => setUser(null)
+    const handleLoaded = (nextUser: User) => {
+      setUser(nextUser)
+      setCookieFromUser(nextUser)
+    }
+    const handleUnloaded = () => {
+      setUser(null)
+      clearFaSessionCookie()
+    }
 
     manager.events.addUserLoaded(handleLoaded)
     manager.events.addUserUnloaded(handleUnloaded)
@@ -72,6 +106,9 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       .signinRedirectCallback()
       .then((nextUser) => {
         setUser(nextUser ?? null)
+        if (nextUser) {
+          setCookieFromUser(nextUser)
+        }
       })
       .catch((error) => {
         console.error('Failed to complete sign-in redirect', error)
@@ -103,6 +140,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       console.error('Failed to sign out via redirect, clearing local session instead.', error)
       await manager.removeUser()
       setUser(null)
+      clearFaSessionCookie()
     }
   }, [])