Refactor Blazor auth to cookie-based BFF pattern with JWT API calls

Replaces complex token management with simpler cookie-based authentication for Blazor Server SSR. Login now uses HTML form POST to BFF endpoint that calls identity API, stores JWT token in cookie claims, and attaches it to API requests via delegating handler.

Key changes:
- Add SimpleBffAuth with /api/auth/login and /api/auth/logout endpoints
- Add CookieAuthenticationStateProvider (extends ServerAuthenticationStateProvider)
- Add AuthorizationHeaderHandler to attach JWT Bearer tokens to API requests
- Add SimpleLogin.razor with HTML form POST (not AJAX)
- Add ThemeStateFactory for SSR-compatible tenant theme caching
- Remove old BffAuth, TokenAccessor, TokenSessionAccessor, and circuit handler
- Update PlaygroundLayout, UsersPage, UserDetailPage to use AuthenticationStateProvider

Fixes login flow and API authorization (401 errors resolved).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: iammukeshm

.claude/settings.local.json

@@ -492,4 +492,6 @@ docs/
 spec-os/
 /PLAN.md
 **/nul
-**/wwwroot/uploads/*
+**/wwwroot/uploads/*
+/agent_docs/blazor.md
+/.claude/settings.local.json

.gitignore

@@ -7,7 +7,7 @@
     <base href="/" />  
     <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap" rel="stylesheet" />
     <link href=@Assets["_content/MudBlazor/MudBlazor.min.css"] rel="stylesheet" />
-    <link href="@Assets["_content/FSH.Framework.Blazor.UI/fsh-theme.css"]" rel="stylesheet" />
+    <link href="@Assets["_content/FSH.Framework.Blazor.UI/css/fsh-theme.css"]" rel="stylesheet" />
     <ImportMap />
     <link rel="icon" type="image/ico" href="favicon.ico" />
     <HeadOutlet @rendermode="InteractiveServer" />

src/Playground/Playground.Blazor/Components/App.razor

@@ -7,13 +7,16 @@
 @using FSH.Playground.Blazor.Components.Pages
 @using Microsoft.AspNetCore.WebUtilities
 @using FSH.Playground.Blazor.Services
+@using Microsoft.AspNetCore.Components.Authorization
+@using System.Security.Claims
+@inject IHttpContextAccessor HttpContextAccessor
+@inject AuthenticationStateProvider AuthenticationStateProvider
 @inject IHttpClientFactory HttpClientFactory
 @inject NavigationManager Navigation
 @inject ISnackbar Snackbar
 @inject MudTheme FshTheme
 @inject ITenantThemeState TenantThemeState
-@inject FSH.Playground.Blazor.Services.Api.ITokenSessionAccessor TokenSessionAccessor
-@inject FSH.Playground.Blazor.Services.Api.ITokenAccessor TokenAccessor
+@inject IThemeStateFactory ThemeStateFactory
 @inject FSH.Playground.Blazor.ApiClient.IIdentityClient IdentityClient
 
 <MudThemeProvider Theme="@_theme" IsDarkMode="_isDarkMode" />
@@ -31,7 +34,7 @@
 }
 else if (!_isAuthenticated)
 {
-    <Login />
+    <SimpleLogin />
 }
 else
 {
@@ -79,12 +82,44 @@ else
     private string? _userRole;
     private string? _avatarUrl;
 
-    protected override void OnInitialized()
+    protected override async Task OnInitializedAsync()
     {
-        base.OnInitialized();
-        _theme = TenantThemeState.Theme;
-        _isDarkMode = TenantThemeState.IsDarkMode;
+        await base.OnInitializedAsync();
+
+        // SSR-friendly authentication check via HttpContext
+        var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
+        _isAuthenticated = authState.User?.Identity?.IsAuthenticated ?? false;
+
+        if (_isAuthenticated)
+        {
+            // Extract user info from claims (available in SSR)
+            var user = authState.User;
+            _userName = user.FindFirst(ClaimTypes.Name)?.Value ?? user.FindFirst(ClaimTypes.Email)?.Value ?? "User";
+            _userEmail = user.FindFirst(ClaimTypes.Email)?.Value;
+            _userRole = user.FindFirst(ClaimTypes.Role)?.Value;
+
+            // Load theme from cache (fast, SSR-compatible)
+            var httpContext = HttpContextAccessor.HttpContext;
+            if (httpContext is not null)
+            {
+                var tenantId = httpContext.Request.Cookies["fsh_tenant"] ?? "root";
+                var themeSettings = await ThemeStateFactory.GetThemeAsync(tenantId);
+                _theme = themeSettings.ToMudTheme();
+                // Dark mode preference is user-specific, default to false for SSR
+                _isDarkMode = false;
+            }
+        }
+        else
+        {
+            // Use default theme for non-authenticated users
+            _theme = TenantThemeState.Theme;
+            _isDarkMode = false;
+        }
+
+        // Subscribe to theme changes (for Interactive mode)
         TenantThemeState.OnThemeChanged += HandleThemeChanged;
+
+        _authStatusLoaded = true;
     }
 
     private void HandleThemeChanged()
@@ -103,29 +138,12 @@ else
     {
         await base.OnAfterRenderAsync(firstRender);
 
-        if (firstRender && !_authStatusLoaded)
+        if (firstRender && _isAuthenticated)
         {
-            var client = HttpClientFactory.CreateClient();
-            var uri = Navigation.ToAbsoluteUri("/auth/status");
-
-            try
-            {
-                var response = await client.GetAsync(uri);
-                _isAuthenticated = response.IsSuccessStatusCode;
-                if (_isAuthenticated)
-                {
-                    await HydrateSessionAsync(client);
-                    // Load tenant theme after authentication
-                    await TenantThemeState.LoadThemeAsync();
-                    // Load user profile
-                    await LoadUserProfileAsync();
-                }
-            }
-            catch
-            {
-                _isAuthenticated = false;
-            }
+            // Load full profile in Interactive mode
+            await LoadUserProfileAsync();
 
+            // Handle toast notifications
             var currentUri = new Uri(Navigation.Uri);
             var query = QueryHelpers.ParseQuery(currentUri.Query);
             if (query.TryGetValue("toast", out var toastValues))
@@ -144,15 +162,14 @@ else
                 Navigation.NavigateTo(cleanUri, false);
             }
 
-            _authStatusLoaded = true;
             StateHasChanged();
         }
     }
 
     private async Task LogoutAsync()
     {
         var client = HttpClientFactory.CreateClient();
-        var uri = Navigation.ToAbsoluteUri("/auth/logout");
+        var uri = Navigation.ToAbsoluteUri("/api/auth/logout");
         try
         {
             var response = await client.PostAsync(uri, content: null);
@@ -191,34 +208,6 @@ else
         false => Icons.Material.Outlined.DarkMode,
     };
 
-    private async Task HydrateSessionAsync(HttpClient client)
-    {
-        try
-        {
-            var sessionResponse = await client.GetAsync(Navigation.ToAbsoluteUri("/auth/session"));
-            if (!sessionResponse.IsSuccessStatusCode)
-            {
-                return;
-            }
-
-            var sessionInfo = await sessionResponse.Content.ReadFromJsonAsync<SessionInfoResult>();
-            if (sessionInfo is null || string.IsNullOrWhiteSpace(sessionInfo.SessionId))
-            {
-                return;
-            }
-
-            TokenSessionAccessor.SessionId = sessionInfo.SessionId;
-            TokenAccessor.AccessToken = sessionInfo.AccessToken;
-            TokenAccessor.RefreshToken = sessionInfo.RefreshToken;
-            TokenAccessor.AccessTokenExpiresAt = sessionInfo.AccessTokenExpiresAt;
-            TokenAccessor.RefreshTokenExpiresAt = sessionInfo.RefreshTokenExpiresAt;
-        }
-        catch
-        {
-            // swallow; fall back to fresh login if session cannot be hydrated
-        }
-    }
-
     private async Task LoadUserProfileAsync()
     {
         try

src/Playground/Playground.Blazor/Components/Layout/PlaygroundLayout.razor

@@ -1,5 +1,6 @@
 @page "/dashboard"
 @page "/"
+@attribute [StreamRendering(true)]
 @using System.Linq
 @inherits ComponentBase
 @inject FSH.Playground.Blazor.ApiClient.IV1Client V1Client

src/Playground/Playground.Blazor/Components/Pages/Dashboard/DashboardPage.razor

@@ -0,0 +1,50 @@
+@page "/login"
+@using FSH.Framework.Shared.Multitenancy
+@using FSH.Playground.Blazor.Services
+@inject NavigationManager Navigation
+@inject IHttpClientFactory HttpClientFactory
+
+<MudContainer MaxWidth="MaxWidth.False"
+              Class="d-flex justify-center align-center"
+              Style="min-height:100vh; background-color:#F3F4F6;">
+    <MudPaper Class="pa-6" Elevation="1"
+              Style="max-width:420px; width:100%; background-color:#FFFFFF; border-radius:1rem; border:1px solid #E5E7EB;">
+        <form method="post" action="/api/auth/login">
+            <MudStack Spacing="2">
+                <MudText Typo="Typo.overline" Color="Color.Primary">FSH Playground</MudText>
+                <MudText Typo="Typo.h5">Sign in</MudText>
+                <MudText Typo="Typo.body2" Class="mb-2" Color="Color.Secondary">
+                    Use your FSH credentials for the <b>root</b> tenant.
+                </MudText>
+
+                <input type="hidden" name="Tenant" value="root" />
+
+                <MudTextField @bind-Value="_email"
+                              Label="Email"
+                              name="Email"
+                              Variant="Variant.Outlined"
+                              Class="mb-3" />
+
+                <MudTextField @bind-Value="_password"
+                              Label="Password"
+                              name="Password"
+                              InputType="InputType.Password"
+                              Variant="Variant.Outlined"
+                              Class="mb-4" />
+
+                <MudButton ButtonType="ButtonType.Submit"
+                           Color="Color.Primary"
+                           Variant="Variant.Filled"
+                           FullWidth="true"
+                           Class="mb-2">
+                    Sign in
+                </MudButton>
+            </MudStack>
+        </form>
+    </MudPaper>
+</MudContainer>
+
+@code {
+    private string _email = MultitenancyConstants.Root.EmailAddress;
+    private string _password = MultitenancyConstants.DefaultPassword;
+}