fix: Identity auth routing, antiforgery, and layout fixes

- Create AppRoutes.razor wrapper to include WebApp assembly in Blazor Router
  (Account pages in WebApp weren't discovered by UI-only Router)
- Change account form POST endpoints to /account-action/* prefix to avoid
  collision with Blazor component routes that intercept form POSTs
- Add <AntiforgeryToken /> to all account forms (Register, Login, Logout,
  ForgotPassword, ResetPassword)
- Update LoginDisplay logout form to use /account-action/Logout path

Tested: Register creates user in DB, auto-signs in, redirects to dashboard.
Login page renders correctly with authenticated state shown in LoginDisplay.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

src/SentenceStudio.WebApp/Auth/AccountEndpoints.cs

@@ -9,7 +9,7 @@ public static class AccountEndpoints
 {
     public static void MapAccountEndpoints(this WebApplication app)
     {
-        var group = app.MapGroup("/Account");
+        var group = app.MapGroup("/account-action");
 
         group.MapPost("/Login", async (
             [FromForm] string email,

src/SentenceStudio.WebApp/Components/App.razor

@@ -19,7 +19,7 @@
 
 <body>
     <CascadingAuthenticationState>
-        <SentenceStudio.WebUI.Routes @rendermode="InteractiveServer" />
+        <SentenceStudio.WebApp.Components.AppRoutes @rendermode="InteractiveServer" />
     </CascadingAuthenticationState>
     <ReconnectModal />
     <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>

src/SentenceStudio.WebApp/Components/AppRoutes.razor

@@ -0,0 +1,15 @@
+<Router AppAssembly="typeof(SentenceStudio.WebUI.Routes).Assembly"
+        AdditionalAssemblies="new[] { typeof(AppRoutes).Assembly }">
+    <Found Context="routeData">
+        <RouteView RouteData="routeData" DefaultLayout="typeof(SentenceStudio.WebUI.Layout.MainLayout)" />
+        <FocusOnNavigate RouteData="routeData" Selector="h1" />
+    </Found>
+    <NotFound>
+        <LayoutView Layout="typeof(SentenceStudio.WebUI.Layout.MainLayout)">
+            <div class="container text-center mt-5">
+                <h1>Page not found</h1>
+                <p class="text-secondary">Sorry, the page you requested could not be found.</p>
+            </div>
+        </LayoutView>
+    </NotFound>
+</Router>

src/SentenceStudio.WebApp/Components/Layout/LoginDisplay.razor

@@ -19,7 +19,8 @@
             }
             else
             {
-                <form method="post" action="/Account/Logout" class="d-inline">
+                <form method="post" action="/account-action/Logout" class="d-inline">
+                    <AntiforgeryToken />
                     <button type="submit" class="btn btn-outline-light btn-sm">
                         <i class="bi bi-box-arrow-right me-1"></i>Sign out
                     </button>

src/SentenceStudio.WebApp/Components/Pages/Account/ForgotPassword.razor

@@ -25,7 +25,8 @@
                             Enter your email address and we will send you a link to reset your password.
                         </p>
 
-                        <form method="post" action="/Account/ForgotPassword">
+                        <form method="post" action="/account-action/ForgotPassword">
+                        <AntiforgeryToken />
                             <div class="mb-3">
                                 <label for="email" class="form-label">Email</label>
                                 <input type="email" class="form-control" id="email" name="email"

src/SentenceStudio.WebApp/Components/Pages/Account/Login.razor

@@ -20,7 +20,8 @@
                         <div class="alert alert-success" role="alert">@SuccessMessage</div>
                     }
 
-                    <form method="post" action="/Account/Login">
+                    <form method="post" action="/account-action/Login">
+                        <AntiforgeryToken />
                         <input type="hidden" name="returnUrl" value="@ReturnUrl" />
 
                         <div class="mb-3">

src/SentenceStudio.WebApp/Components/Pages/Account/Register.razor

@@ -22,7 +22,8 @@
                         </div>
                     }
 
-                    <form method="post" action="/Account/Register">
+                    <form method="post" action="/account-action/Register">
+                        <AntiforgeryToken />
                         <div class="mb-3">
                             <label for="displayName" class="form-label">Display Name</label>
                             <input type="text" class="form-control" id="displayName" name="displayName"

src/SentenceStudio.WebApp/Components/Pages/Account/ResetPassword.razor

@@ -15,7 +15,8 @@
                         <div class="alert alert-danger" role="alert">@ErrorMessage</div>
                     }
 
-                    <form method="post" action="/Account/ResetPassword">
+                    <form method="post" action="/account-action/ResetPassword">
+                    <AntiforgeryToken />
                         <input type="hidden" name="email" value="@Email" />
                         <input type="hidden" name="token" value="@Token" />