Parameterize Firebase auth domain across frontend, nginx CSP, and backend

[coderabbitai]

Summary

The Firebase project domain (sportdeets-dev.firebaseapp.com) is hardcoded in three critical layers, creating a production deployment blocker.

Affected Files

• src/UI/sd-ui/src/firebase.js — authDomain is hardcoded to sportdeets-dev.firebaseapp.com
• src/UI/sd-ui/security-headers.conf — frame-src in the CSP header references the dev Firebase domain directly (TODO comment added in PR fix csp issues #141)
• src/SportsData.Api/Program.cs — JWT validation is hardcoded to the sportdeets-dev Firebase project

Risk

Production deployment will either fail authentication entirely (if using a different Firebase project) or leak production user data into the dev Firebase project (if inadvertently reusing the dev project ID).

Required Work

1. Frontend — Update src/UI/sd-ui/src/firebase.js to read Firebase config from environment variables:

   const firebaseConfig = {
     apiKey: process.env.REACT_APP_FIREBASE_API_KEY,
     authDomain: process.env.REACT_APP_FIREBASE_AUTH_DOMAIN,
     // ...
   };

2. Nginx CSP — Template src/UI/sd-ui/security-headers.conf to inject FIREBASE_AUTH_DOMAIN at container startup using envsubst or nginx variable substitution.
3. Backend — Update src/SportsData.Api/Program.cs to load the Firebase project/domain from appsettings or environment variables rather than the hardcoded literal.
4. Docker/env files — Ensure Dockerfiles and .env.dev/.env.prod files pass the same FIREBASE_AUTH_DOMAIN variable name across all three layers so they stay in sync.

References

• PR: fix csp issues #141
• Review comment: fix csp issues #141 (comment)
• Requested by: @jrandallsexton