Fix HTTP 500 login error: Configure anti-forgery and routing for proxy

- Re-enabled ValidateAntiForgeryToken attribute
- Configured anti-forgery for proxy environments with SameAsRequest
- Fixed area routing order and constraints
- Added proper forwarded headers middleware

LittleShop/Areas/Admin/Controllers/AccountController.cs

@@ -28,7 +28,7 @@ public class AccountController : Controller
     }
 
     [HttpPost]
-    // [ValidateAntiForgeryToken] // Temporarily disabled for HTTPS proxy issue
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> Login(string username, string password)
     {
         Console.WriteLine($"Received Username: '{username}', Password: '{password}'");

LittleShop/Program.cs

@@ -27,6 +27,10 @@ builder.Services.AddAntiforgery(options =>
 {
     options.HeaderName = "X-CSRF-TOKEN";
     options.FormFieldName = "__RequestVerificationToken";
+    options.SuppressXFrameOptionsHeader = false;
+    // Required for HTTPS proxy scenarios
+    options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
+    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
 });
 
 // Database
@@ -264,16 +268,17 @@ app.UseAuthentication();
 app.UseAuthorization();
 
 // Configure routing
-app.MapControllerRoute(
-    name: "admin",
-    pattern: "Admin/{controller=Dashboard}/{action=Index}/{id?}",
-    defaults: new { area = "Admin" }
-);
-
 app.MapControllerRoute(
     name: "areas",
     pattern: "{area:exists}/{controller=Home}/{action=Index}/{id?}");
 
+app.MapControllerRoute(
+    name: "admin",
+    pattern: "Admin/{controller=Dashboard}/{action=Index}/{id?}",
+    defaults: new { area = "Admin" },
+    constraints: new { area = "Admin" }
+);
+
 app.MapControllerRoute(
     name: "default",
     pattern: "{controller=Home}/{action=Index}/{id?}");