fix: Configure HTTPS domain and OAuth callback route

- Update configuration for production HTTPS domain (devden.hiddenden.cafe)
- Add nginx reverse proxy for /api and /auth routes to backend
- Create auth-callback.html to handle Microsoft Entra ID OAuth redirect
- Fix API_URL in script.js to use same origin (remove :8000 port)
- Add cache-busting query parameter (?v=2) to script.js
- Update .env.example with HTTPS requirements documentation

This resolves Azure Entra ID redirect URI mismatch and enables proper
OAuth authentication flow through the nginx frontend proxy.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

default.conf

@@ -4,6 +4,38 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    # Proxy API requests to backend
+    location /api/ {
+        proxy_pass http://backend:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Support for SSE (Server-Sent Events)
+        proxy_buffering off;
+        proxy_cache off;
+    }
+
+    # OAuth callback endpoint - redirect to root with query params
+    location = /auth/callback {
+        try_files /auth-callback.html =404;
+    }
+
+    # Proxy other auth requests to backend
+    location /auth/ {
+        proxy_pass http://backend:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     # Enable SPA routing - try to serve the file, then directory, then fallback to index.html
     location / {
         try_files $uri $uri/ /index.html;