Specific endpoint configuration for Blazor web static files and render mode-endpoints

[phkiener]

Summary

A solution for #51836 - where authorization is applied to the endpoint for _framework/blazor.web.js via FallbackPolicy - by providing a way to specificy e.g. AllowAnonymous on the endpoints added within MapRazorComponents<>.

Motivation and goals

Similar to the linked issue, we're integrating a custom IAuthorizationPolicyProvider where both the FallbackPolicy and the DefaultPolicy will deny access to everyone - just so that no endpoint can be publically accessible by accident, only by explicitly specifying AllowAnonymous on that endpoint.

Right now, we can adjust any endpoints via the conventions by e.g. calling app.MapControllers().Add(eb => AddSomeMetadataWeNeed(eb)) where needed, but this falls short with both the static files-endpoint for _framework/blazor.web.js and the endpoints registered for specific rendermodes such as InteractiveServer. We can make do by filtering the specific paths in our IAuthorizationHandler, but this just feels wrong, you know?

In scope

• Apply custom conventions to the static files hosted by Blazor, i.e. _framework/blazor.web.js
• Apply custom conventions to the endpoints added by each IComponentRenderMode

Out of scope

• Any reordering or other configurations for these endpoints, only conventions

Risks / unknowns

Since the endpoints are exposed for configuration, things might break down in horrible ways - which was the intial reasoning for moving blazor.web.js away from the usual UseStaticFiles into its own endpoint, as far as I understood.

Things might also get confusing because there'd be three possible ways to define conventions:

1. For the rendermode itself
2. For the static files
3. For everything - rendermode, static files and all pages

Examples

Typically, the endpoints are configured using the IEndpointConventionBuilder returned by e.g. MapGet. This can be done for MapRazorComponents<> as well, but these conventions apply to all endpoints, including the routed components.

To make a clear distinction, I'd introduce a new method on the RazorComponentsEndpointConventionBuilder as well as a parameter on (at least) AddInteractiveServerRenderMode to configure the static file and the rendermodes:

app.MapRazorComponents<App>()
    .AddInteractiveServerRenderMode(ep => ep.AllowAnonymous())
    .ConfigureStaticFiles(ep => ep.AllowAnonymous()); 

I'm not feeling very inspired on the naming, but that's the gist of it. I initially thought about adding the configuration for static files as parameter to MapRazorComponents<>, but I feel like that'd be to implicit when omitting the parameter name.

It might be interesting to also allow configuration specific for the routed components. That's not a case for us, but doing it via parameter in MapRazorComponents<> feels like the perfect place for that.

With some overloads, this can be done non-breaking, which is very nice. It's out of the way until you actually need it, since all of this is a rather niche case after all.