fix(backend): Refactor OIDC callback and auth dependency to correctly handle cookies and prefix all API routes with /api/v1.

backend/src/ea_chatbot/api/dependencies.py

@@ -25,9 +25,8 @@ oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/v1/auth/login", auto_error=Fa
 
 async def get_current_user(request: Request, token: str = Depends(oauth2_scheme)) -> User:
     """Dependency to get the current authenticated user from the JWT token (cookie or header)."""
-    # Try getting token from cookie first
-    if not token:
-        token = request.cookies.get("access_token")
+    # Prioritize cookie, fallback to header
+    token = request.cookies.get("access_token") or token
 
     credentials_exception = HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,

backend/src/ea_chatbot/api/routers/auth.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status, Response
+from fastapi import APIRouter, Depends, HTTPException, status, Response, Request
 from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 from ea_chatbot.api.utils import create_access_token
@@ -6,6 +6,9 @@ from ea_chatbot.api.dependencies import history_manager, oidc_client, get_curren
 from ea_chatbot.history.models import User as UserDB
 from ea_chatbot.api.schemas import Token, UserCreate, UserResponse
 import os
+import logging
+
+logger = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
@@ -80,9 +83,9 @@ async def oidc_login():
     url = oidc_client.get_login_url()
     return {"url": url}
 
-@router.get("/oidc/callback")
-async def oidc_callback(code: str):
-    """Handle the OIDC callback, issue a JWT, and redirect to frontend."""
+@router.get("/oidc/callback", response_model=Token)
+async def oidc_callback(request: Request, response: Response, code: str):
+    """Handle the OIDC callback, issue a JWT, and redirect or return JSON."""
     if not oidc_client:
         raise HTTPException(status_code=status.HTTP_510_NOT_EXTENDED, detail="OIDC not configured")
     
@@ -99,12 +102,29 @@ async def oidc_callback(code: str):
         
         access_token = create_access_token(data={"sub": str(user.id)})
         
-        response = RedirectResponse(url=f"{FRONTEND_URL}/auth/callback")
-        set_auth_cookie(response, access_token)
-        return response
+        # Determine if we should redirect (direct provider callback) or return JSON (frontend exchange)
+        is_ajax = request.headers.get("X-Requested-With") == "XMLHttpRequest" or \
+                 "application/json" in request.headers.get("Accept", "")
+
+        if is_ajax:
+            set_auth_cookie(response, access_token)
+            return {"access_token": access_token, "token_type": "bearer"}
+        else:
+            redirect_response = RedirectResponse(url=f"{FRONTEND_URL}/auth/callback")
+            set_auth_cookie(redirect_response, access_token)
+            return redirect_response
+            
+    except HTTPException:
+        raise
     except Exception as e:
-        # Redirect to frontend with error
-        return RedirectResponse(url=f"{FRONTEND_URL}?error=oidc_failed")
+        logger.exception("OIDC authentication failed")
+        # For non-ajax, redirect with error
+        is_ajax = request.headers.get("X-Requested-With") == "XMLHttpRequest" or \
+                 "application/json" in request.headers.get("Accept", "")
+        if is_ajax:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="OIDC authentication failed")
+        else:
+            return RedirectResponse(url=f"{FRONTEND_URL}?error=oidc_failed")
 
 @router.get("/me", response_model=UserResponse)
 async def get_me(current_user: UserDB = Depends(get_current_user)):