DbFirst/DbFirst.BlazorWebApp/Program.cs

using DbFirst.BlazorWebApp;
using DbFirst.BlazorWebApp.Components;
using DbFirst.BlazorWebApp.Services;
using DevExpress.Blazor;
using System.Net;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorComponents()
    .AddInteractiveServerComponents();

builder.Services.AddDevExpressBlazor(options => options.BootstrapVersion = BootstrapVersion.v5);
builder.Services.AddScoped<ThemeState>();
builder.Services.AddScoped<BandLayoutService>();
builder.Services.AddScoped<AuthService>();
builder.Services.AddScoped<CookieContainer>();

builder.Services.Configure<AppSettings>(builder.Configuration);
var appSettings = builder.Configuration.Get<AppSettings>() ?? new AppSettings();

// Alle API-Clients teilen sich denselben scoped CookieContainer (pro Blazor-Circuit),
// damit das Auth-Cookie nach dem Login automatisch an alle Folgeanfragen angehängt wird.
// Der UserHeaderHandler ergänzt automatisch den X-Authenticated-User-Header.
static HttpClient CreateApiHttpClient(CookieContainer cookieContainer, AuthService authService, string? baseUrl)
{
    var inner = new HttpClientHandler { UseCookies = false };
    var handler = new UserHeaderHandler(authService) { InnerHandler = inner };
    var client = new HttpClient(handler);
    if (!string.IsNullOrWhiteSpace(baseUrl))
        client.BaseAddress = new Uri(baseUrl);
    return client;
}

static HttpClient CreateAuthHttpClient(CookieContainer cookieContainer, string? baseUrl)
{
    var handler = new HttpClientHandler { CookieContainer = cookieContainer, UseCookies = true };
    var client = new HttpClient(handler);
    if (!string.IsNullOrWhiteSpace(baseUrl))
        client.BaseAddress = new Uri(baseUrl);
    return client;
}

builder.Services.AddScoped<IAuthApiClient>(sp =>
{
    var cc = sp.GetRequiredService<CookieContainer>();
    var authBaseUrl = !string.IsNullOrWhiteSpace(appSettings.AuthService.BaseUrl)
        ? appSettings.AuthService.BaseUrl
        : appSettings.BaseUrl;
    var client = CreateAuthHttpClient(cc, authBaseUrl);
    return new AuthApiClient(client, sp.GetRequiredService<AuthService>(), cc);
});

var apiDefaultUrl = !string.IsNullOrWhiteSpace(appSettings.ApiDefaultUrl)
    ? appSettings.ApiDefaultUrl
    : appSettings.BaseUrl;

builder.Services.AddScoped<ICatalogApiClient>(sp =>
    new CatalogApiClient(CreateApiHttpClient(
        sp.GetRequiredService<CookieContainer>(),
        sp.GetRequiredService<AuthService>(),
        apiDefaultUrl)));

builder.Services.AddScoped<IDashboardApiClient>(sp =>
    new DashboardApiClient(CreateApiHttpClient(
        sp.GetRequiredService<CookieContainer>(),
        sp.GetRequiredService<AuthService>(),
        apiDefaultUrl)));

builder.Services.AddScoped<IMassDataApiClient>(sp =>
    new MassDataApiClient(CreateApiHttpClient(
        sp.GetRequiredService<CookieContainer>(),
        sp.GetRequiredService<AuthService>(),
        apiDefaultUrl)));

builder.Services.AddScoped<ILayoutApiClient>(sp =>
    new LayoutApiClient(CreateApiHttpClient(
        sp.GetRequiredService<CookieContainer>(),
        sp.GetRequiredService<AuthService>(),
        apiDefaultUrl)));

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error", createScopeForErrors: true);
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();

app.UseStaticFiles();
app.UseAntiforgery();

app.MapRazorComponents<App>()
    .AddInteractiveServerRenderMode();

app.Run();