Changes:
- Dashboard.razor: Add [AllowAnonymous] to allow page load before auth check
- CustomAuthenticationStateProvider: Use absolute URIs for HttpClient calls
- Fix JSON parsing: Use ReadAsStringAsync instead of ReadAsAsync
- Implement cookie-first auth strategy with localStorage fallback
Status: /dashboard still not loading after login
Issues to investigate:
- window.location.href redirect not working in Playwright
- Set-Cookie headers not appearing in responses
- JavaScript interop not available during static rendering
Next: Direct browser testing vs Playwright environment issue
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Add HTTP-only cookie setting in /api/auth/login endpoint
- Support both Bearer token and cookie auth in /api/auth/me
- Clear cookie on /api/auth/logout
- Handle admin:admin dev fallback with cookie support
- Update login.html to use 1 second redirect (cookie-based auth faster)
Cookie configuration:
- Name: quant_auth_token
- HttpOnly: true (prevents JavaScript access)
- Secure: based on HTTPS status
- SameSite: Lax (for localhost compatibility)
- Expires: 7 days
Status: Cookie auth framework complete, testing in progress
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>