fix: return 401/403 for API endpoints instead of redirecting

Cookie auth's HandleChallengeAsync issues a 302 redirect to the login
page by default. For fetch() API calls this causes the request to follow
the redirect, eventually hitting MapFallbackToController and returning
a user-visible 404.

Add OnRedirectToLogin and OnRedirectToAccessDenied handlers in
ConfigureApplicationCookie that return 401/403 for /api/* paths,
leaving the redirect behavior intact for browser page navigation.

This fixes POST /api/chat/stream returning a 404 for unauthenticated
users instead of a proper 401.

Author: Benjamin Michaelis

EssentialCSharp.Web/Program.cs

@@ -115,16 +115,19 @@ private static void Main(string[] args)
         builder.Services.AddDbContext<EssentialCSharpWebContext>(options => options.UseSqlServer(connectionString, sql => sql.EnableRetryOnFailure(5)));
 
         // Data Protection — persist keys across container restarts.
-        // ACA/production: keys in Azure Blob Storage (Managed Identity, Aspire-provisioned via dp-keys connection string).
+        // ACA/production: keys in Azure Blob Storage (Managed Identity, Aspire-provisioned via dp-blob connection string).
+        //   dp-blob is an Azure Blob Service URI: "https://account.blob.core.windows.net/"
+        //   Keys are stored as: {serviceUri}dataprotection/keys.xml
+        //   The library auto-creates the container on first write.
         // Local dev: keys in SQL Server (persistent via WithDataVolume in AppHost).
         // SetApplicationName ensures the discriminator is stable across container hostname changes.
-        var dpBlobUri = builder.Configuration.GetConnectionString("dp-keys");
+        var dpBlobServiceUri = builder.Configuration.GetConnectionString("dp-blob");
         var dataProtection = builder.Services.AddDataProtection()
             .SetApplicationName("EssentialCSharpWeb");
-        if (!string.IsNullOrEmpty(dpBlobUri))
+        if (!string.IsNullOrEmpty(dpBlobServiceUri))
         {
             dataProtection.PersistKeysToAzureBlobStorage(
-                new Uri($"{dpBlobUri.TrimEnd('/')}/keys.xml"),
+                new Uri(new Uri(dpBlobServiceUri), "dataprotection/keys.xml"),
                 new DefaultAzureCredential());
         }
         else
@@ -166,6 +169,25 @@ private static void Main(string[] args)
             options.Cookie.HttpOnly = true;
             options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
             options.SlidingExpiration = true;
+            // API endpoints must return 401/403 instead of redirecting to the login page.
+            // Cookie auth's default behavior (302 redirect) causes fetch() to follow the
+            // redirect, eventually hitting the fallback controller and returning a 404.
+            options.Events.OnRedirectToLogin = context =>
+            {
+                if (context.Request.Path.StartsWithSegments("/api"))
+                    context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                else
+                    context.Response.Redirect(context.RedirectUri);
+                return Task.CompletedTask;
+            };
+            options.Events.OnRedirectToAccessDenied = context =>
+            {
+                if (context.Request.Path.StartsWithSegments("/api"))
+                    context.Response.StatusCode = StatusCodes.Status403Forbidden;
+                else
+                    context.Response.Redirect(context.RedirectUri);
+                return Task.CompletedTask;
+            };
         });
 
         builder.Services.Configure<PasswordHasherOptions>(option =>