fix(auth): convert /api/auth/logout to POST

The endpoint was a MapGet, which made it CSRF-able: an <img> tag on any
page open in the same browser could fire it and silently sign the user
out of FwLite Web. Switch to POST and drop the server-side redirect
(no callers were relying on either — the viewer logs out via the
[JSInvokable] Blazor interop method, not HTTP).

Refs #2306

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: myieye

backend/FwLite/FwLiteWeb/Routes/AuthRoutes.cs

@@ -42,11 +42,11 @@ public static IEndpointConventionBuilder MapAuthRoutes(this WebApplication app)
             {
                 return new { name = await authService.GetLoggedInName(options.Value.GetServerByAuthority(authority)) };
             });
-        group.MapGet("/logout/{authority}",
+        group.MapPost("/logout/{authority}",
             async (AuthService authService, string authority, IOptions<AuthConfig> options) =>
             {
                 await authService.Logout(options.Value.GetServerByAuthority(authority));
-                return Results.Redirect("/");
+                return Results.Ok();
             });
         return group;
     }