fix(deploy): resolve auth + sample-bundle issues uncovered in e2e

configure_auth.sh / configure_auth.ps1:
- Set globalValidation (requireAuthentication, unauthenticatedClientAction,
  redirectToProvider) directly in the authConfig PUT — the CLI flags were not
  reliably populating redirectToProvider, leaving the Web app responding 401
  to browser users instead of redirecting to AAD.
- Explicitly POST oauth2PermissionGrants to grant the API user_impersonation
  scope to the Web service principal. 'az ad app permission admin-consent'
  silently consents Microsoft Graph only and skips custom-API delegated
  scopes, which made MSAL acquireTokenSilent fail and rendered a blank SPA
  after successful login.
- Override APP_WEB_AUTHORITY env var on the Web container app so MSAL.js
  uses a properly-formed authority URL.
- Restart Web + API container revisions after secrets/env updates so the
  new values take effect without a manual restart.

infra/main.bicep:
- Drop redundant slash in APP_WEB_AUTHORITY composition; loginEndpoint
  already has a trailing slash, so '${loginEndpoint}/${tenantId}' produced
  a double-slash URL that broke MSAL.

infra/scripts/post_deployment.sh:
- Fix bash array iteration in Step 4b schema-id lookup. The previous
  'for RID in $REGISTERED_IDS' de-references the array as a scalar (only
  the first element), causing only one file per sample bundle to upload.
  Switched to indexed iteration with ${!REGISTERED_IDS[@]} and a name
  lookup against REGISTERED_NAMES[$i].

Author: DonLee

infra/main.bicep

@@ -1196,7 +1196,7 @@ module avmContainerApp_Web 'br/public:avm/res/app/container-app:0.19.0' = {
           }
           {
             name: 'APP_WEB_AUTHORITY'
-            value: '${environment().authentication.loginEndpoint}/${tenant().tenantId}'
+            value: '${environment().authentication.loginEndpoint}${tenant().tenantId}'
           }
           {
             name: 'APP_WEB_SCOPE'

infra/scripts/configure_auth.ps1

@@ -195,6 +195,33 @@ try {
   Write-Host "     Or: https://login.microsoftonline.com/$TenantId/adminconsent?client_id=$WebClientId"
 }
 
+# Belt-and-suspenders: explicitly grant the API user_impersonation scope to
+# the Web SP. `az ad app permission admin-consent` often skips custom-API
+# delegated permissions, leaving MSAL.js silent token acquisition broken
+# (which causes the SPA to render a blank page after sign-in).
+$WebSpId = az ad sp show --id $WebClientId --query id -o tsv 2>$null
+$ApiSpId = az ad sp show --id $ApiClientId --query id -o tsv 2>$null
+if ($WebSpId -and $ApiSpId) {
+  $existing = az rest --method get `
+    --url "https://graph.microsoft.com/v1.0/servicePrincipals/$WebSpId/oauth2PermissionGrants" `
+    --query "value[?resourceId=='$ApiSpId'] | [0].id" -o tsv 2>$null
+  if (-not $existing -or $existing -eq "null") {
+    $body = "{`"clientId`":`"$WebSpId`",`"consentType`":`"AllPrincipals`",`"resourceId`":`"$ApiSpId`",`"scope`":`"user_impersonation`"}"
+    try {
+      az rest --method POST `
+        --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" `
+        --headers "Content-Type=application/json" `
+        --body $body --output none
+      Write-Host "  ✓ API user_impersonation scope granted to Web SP"
+    } catch {
+      Write-Host "  ⚠️  Could not auto-grant API user_impersonation; SPA may show blank page until granted manually."
+      $ConsentOk = $false
+    }
+  } else {
+    Write-Host "  ↺ API user_impersonation scope already granted"
+  }
+}
+
 # --- Step 4: Container App secrets ------------------------------------------
 Write-Host ""
 Write-Host "➡️  Step 4/6: Client secrets"
@@ -240,7 +267,7 @@ Write-Host ""
 Write-Host "➡️  Step 6/6: Wiring env vars and caller allowlist"
 
 az containerapp update -n $WebName -g $ResourceGroup `
-  --set-env-vars "APP_WEB_CLIENT_ID=$WebClientId" "APP_WEB_SCOPE=$WebScopeValue" "APP_API_SCOPE=$ApiScopeValue" "APP_AUTH_ENABLED=true" `
+  --set-env-vars "APP_WEB_CLIENT_ID=$WebClientId" "APP_WEB_SCOPE=$WebScopeValue" "APP_API_SCOPE=$ApiScopeValue" "APP_WEB_AUTHORITY=https://login.microsoftonline.com/$TenantId" "APP_AUTH_ENABLED=true" `
   --output none
 Write-Host "  ✓ Web env vars updated"
 
@@ -262,6 +289,19 @@ function Patch-AuthConfig($CaName, $ClientId, $AddWebAllowed) {
   if ($AddWebAllowed -and ($allowed -notcontains $WebClientId)) { $allowed += $WebClientId }
   $policy.allowedApplications = $allowed
 
+  if (-not $current.properties.platform) { $current.properties | Add-Member -MemberType NoteProperty -Name platform -Value (@{}) }
+  $current.properties.platform.enabled = $true
+  if (-not $current.properties.globalValidation) { $current.properties | Add-Member -MemberType NoteProperty -Name globalValidation -Value ([pscustomobject]@{}) }
+  $gv = $current.properties.globalValidation
+  if ($gv.PSObject.Properties.Name -notcontains 'requireAuthentication') { $gv | Add-Member -MemberType NoteProperty -Name requireAuthentication -Value $true } else { $gv.requireAuthentication = $true }
+  if ($AddWebAllowed) {
+    if ($gv.PSObject.Properties.Name -notcontains 'unauthenticatedClientAction') { $gv | Add-Member -MemberType NoteProperty -Name unauthenticatedClientAction -Value 'Return401' } else { $gv.unauthenticatedClientAction = 'Return401' }
+    if ($gv.PSObject.Properties.Name -contains 'redirectToProvider') { $gv.PSObject.Properties.Remove('redirectToProvider') }
+  } else {
+    if ($gv.PSObject.Properties.Name -notcontains 'unauthenticatedClientAction') { $gv | Add-Member -MemberType NoteProperty -Name unauthenticatedClientAction -Value 'RedirectToLoginPage' } else { $gv.unauthenticatedClientAction = 'RedirectToLoginPage' }
+    if ($gv.PSObject.Properties.Name -notcontains 'redirectToProvider') { $gv | Add-Member -MemberType NoteProperty -Name redirectToProvider -Value 'azureactivedirectory' } else { $gv.redirectToProvider = 'azureactivedirectory' }
+  }
+
   $tmp = New-TemporaryFile
   $current | ConvertTo-Json -Depth 20 | Out-File -FilePath $tmp -Encoding utf8
   Retry { az rest --method put --url $url --headers "Content-Type=application/json" --body "@$tmp" | Out-Null }
@@ -272,10 +312,20 @@ Patch-AuthConfig $ApiName $ApiClientId $true
 Patch-AuthConfig $WebName $WebClientId $false
 Write-Host "  ✓ authConfigs normalized (issuer, audiences, allowedApplications)"
 
-az containerapp auth update -n $WebName -g $ResourceGroup --unauthenticated-client-action RedirectToLoginPage --output none
-az containerapp auth update -n $ApiName -g $ResourceGroup --unauthenticated-client-action Return401 --output none
 Write-Host "  ✓ Unauthenticated requests: Web → login, API → 401"
 
+# Restart active revisions so containers pick up newly-set client secrets.
+# (`az containerapp secret set` does NOT trigger a new revision on its own.)
+function Restart-ActiveRevision($CaName) {
+  $rev = az containerapp revision list -n $CaName -g $ResourceGroup --query "[?properties.active] | [0].name" -o tsv 2>$null
+  if ($rev -and $rev -ne "null") {
+    az containerapp revision restart -n $CaName -g $ResourceGroup --revision $rev --output none 2>$null
+  }
+}
+Restart-ActiveRevision $WebName
+Restart-ActiveRevision $ApiName
+Write-Host "  ✓ Restarted Web + API container revisions to apply secrets"
+
 Write-Host ""
 Write-Host "============================================================"
 Write-Host "🔐 Auth configuration complete."

infra/scripts/configure_auth.sh

@@ -245,6 +245,33 @@ else
   echo "  ✓ Admin consent granted"
 fi
 
+# Belt-and-suspenders: explicitly grant the API scope to the Web SP.
+# `az ad app permission admin-consent` is unreliable for app-to-app delegated
+# permissions exposed by a freshly-created custom API — the consent often only
+# covers Microsoft Graph permissions and silently skips the API. Without the
+# API grant, MSAL.js acquireTokenSilent() fails on the SPA and the page is blank.
+WEB_SP_ID="$(az ad sp show --id "$WEB_CLIENT_ID" --query id -o tsv 2>/dev/null || true)"
+API_SP_ID="$(az ad sp show --id "$API_CLIENT_ID" --query id -o tsv 2>/dev/null || true)"
+if [[ -n "$WEB_SP_ID" && -n "$API_SP_ID" ]]; then
+  EXISTING_GRANT="$(az rest --method get \
+    --url "https://graph.microsoft.com/v1.0/servicePrincipals/${WEB_SP_ID}/oauth2PermissionGrants" \
+    --query "value[?resourceId=='${API_SP_ID}'] | [0].id" -o tsv 2>/dev/null || true)"
+  if [[ -z "$EXISTING_GRANT" || "$EXISTING_GRANT" == "null" ]]; then
+    if az rest --method POST \
+      --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" \
+      --headers "Content-Type=application/json" \
+      --body "{\"clientId\":\"${WEB_SP_ID}\",\"consentType\":\"AllPrincipals\",\"resourceId\":\"${API_SP_ID}\",\"scope\":\"user_impersonation\"}" \
+      --output none 2>/dev/null; then
+      echo "  ✓ API user_impersonation scope granted to Web SP"
+    else
+      echo "  ⚠️  Could not auto-grant API user_impersonation; SPA may show blank page until granted manually."
+      CONSENT_OK=false
+    fi
+  else
+    echo "  ↺ API user_impersonation scope already granted"
+  fi
+fi
+
 # -----------------------------------------------------------------------------
 # Step 4: Client secrets + Container App secrets
 # -----------------------------------------------------------------------------
@@ -314,29 +341,34 @@ echo ""
 echo "➡️  Step 6/6: Wiring env vars and caller allowlist"
 
 # Update Web container env vars (other values left untouched)
+# Also overwrite APP_WEB_AUTHORITY to fix a pre-existing bicep bug that produces
+# a malformed authority URL (double slash before tenant id).
 az containerapp update -n "$WEB_NAME" -g "$RESOURCE_GROUP" \
   --set-env-vars \
     "APP_WEB_CLIENT_ID=$WEB_CLIENT_ID" \
     "APP_WEB_SCOPE=$WEB_SCOPE_VALUE" \
     "APP_API_SCOPE=$API_SCOPE_VALUE" \
+    "APP_WEB_AUTHORITY=https://login.microsoftonline.com/$TENANT_ID" \
     "APP_AUTH_ENABLED=true" \
   --output none
-echo "  ✓ Web env vars: APP_WEB_CLIENT_ID / APP_WEB_SCOPE / APP_API_SCOPE / APP_AUTH_ENABLED"
+echo "  ✓ Web env vars: APP_WEB_CLIENT_ID / APP_WEB_SCOPE / APP_API_SCOPE / APP_WEB_AUTHORITY / APP_AUTH_ENABLED"
 
 # Patch both authConfigs:
 #   - API: add Web client id to allowedApplications
 #   - Both: reset allowedAudiences to only the clientId, normalize openIdIssuer
 patch_authconfig() {
   local ca_name="$1"
   local client_id="$2"
-  local add_web_allowed="$3"   # "true" / "false"
+  local add_web_allowed="$3"   # "true" (API side) / "false" (Web side)
   local url="/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}/providers/Microsoft.App/containerApps/${ca_name}/authConfigs/current?api-version=2024-03-01"
   local cur patched
   cur="$(az rest --method get --url "$url")"
   patched="$(echo "$cur" | ADD_WEB="$add_web_allowed" WEB_CLIENT_ID="$WEB_CLIENT_ID" CLIENT_ID="$client_id" TENANT_ID="$TENANT_ID" python3 -c "
 import json, os, sys
 d = json.load(sys.stdin)
 props = d.setdefault('properties', {})
+props['platform'] = props.get('platform') or {}
+props['platform']['enabled'] = True
 idp = props.setdefault('identityProviders', {})
 aad = idp.setdefault('azureActiveDirectory', {})
 reg = aad.setdefault('registration', {})
@@ -348,6 +380,14 @@ allowed = set(policy.get('allowedApplications') or [])
 if os.environ['ADD_WEB'] == 'true':
     allowed.add(os.environ['WEB_CLIENT_ID'])
 policy['allowedApplications'] = sorted(allowed)
+gv = props.setdefault('globalValidation', {})
+gv['requireAuthentication'] = True
+if os.environ['ADD_WEB'] == 'true':
+    gv['unauthenticatedClientAction'] = 'Return401'
+    gv.pop('redirectToProvider', None)
+else:
+    gv['unauthenticatedClientAction'] = 'RedirectToLoginPage'
+    gv['redirectToProvider'] = 'azureactivedirectory'
 print(json.dumps(d))
 ")"
   echo "$patched" > /tmp/authconfig_patch.json
@@ -361,13 +401,25 @@ patch_authconfig "$API_NAME" "$API_CLIENT_ID" "true"
 patch_authconfig "$WEB_NAME" "$WEB_CLIENT_ID" "false"
 echo "  ✓ authConfigs normalized (issuer, audiences, allowedApplications)"
 
-# Final lockdown
-az containerapp auth update -n "$WEB_NAME" -g "$RESOURCE_GROUP" \
-  --unauthenticated-client-action RedirectToLoginPage --output none
-az containerapp auth update -n "$API_NAME" -g "$RESOURCE_GROUP" \
-  --unauthenticated-client-action Return401 --output none
+# Final lockdown handled in patch_authconfig globalValidation above.
 echo "  ✓ Unauthenticated requests: Web → login, API → 401"
 
+# Restart active revisions so containers pick up newly-set client secrets.
+# (`az containerapp secret set` does NOT trigger a new revision on its own.)
+restart_active_revision() {
+  local ca_name="$1"
+  local rev
+  rev="$(az containerapp revision list -n "$ca_name" -g "$RESOURCE_GROUP" \
+    --query "[?properties.active] | [0].name" -o tsv 2>/dev/null || true)"
+  if [[ -n "$rev" && "$rev" != "null" ]]; then
+    az containerapp revision restart -n "$ca_name" -g "$RESOURCE_GROUP" \
+      --revision "$rev" --output none 2>/dev/null || true
+  fi
+}
+restart_active_revision "$WEB_NAME"
+restart_active_revision "$API_NAME"
+echo "  ✓ Restarted Web + API container revisions to apply secrets"
+
 echo ""
 echo "============================================================"
 echo "🔐 Auth configuration complete."

infra/scripts/post_deployment.sh

@@ -297,12 +297,9 @@ else
 
         # Look up schema ID from registered schemas
         SCHEMA_ID=""
-        RIDX=0
-        for RID in $REGISTERED_IDS; do
-          RIDX=$((RIDX + 1))
-          RNAME=$(echo "$REGISTERED_NAMES" | tr ' ' '\n' | sed -n "${RIDX}p")
-          if [ "$RNAME" = "$SCHEMA_CLASS" ]; then
-            SCHEMA_ID="$RID"
+        for i in "${!REGISTERED_IDS[@]}"; do
+          if [ "${REGISTERED_NAMES[$i]}" = "$SCHEMA_CLASS" ]; then
+            SCHEMA_ID="${REGISTERED_IDS[$i]}"
             break
           fi
         done