fix: Discord OAuth CSRF cookie SameSite=None for cross-site callback

- Changed __DiscordOAuthState cookie from SameSite=Strict to SameSite=None
  because Discord redirects from discord.com (cross-site) and Strict
  prevents the cookie from being sent on the callback request.
- Added logging for CSRF validation failure to aid future diagnostics.

Bump version → 2.8.1

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/GmRelay.Web/Program.cs

@@ -192,7 +192,7 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
     {
         HttpOnly = true,
         Secure = true,
-        SameSite = SameSiteMode.Strict,
+        SameSite = SameSiteMode.None,
         MaxAge = TimeSpan.FromMinutes(5)
     });
     var url = discordAuth.BuildAuthorizeUrl(state);
@@ -202,7 +202,8 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
 app.MapGet("/auth/discord/callback", async (
     HttpContext context,
     DiscordAuthService discordAuth,
-    ISessionStore sessionStore) =>
+    ISessionStore sessionStore,
+    ILogger<Program> logger) =>
 {
     var code = context.Request.Query["code"].ToString();
     var state = context.Request.Query["state"].ToString();
@@ -216,6 +217,8 @@ app.MapGet("/auth/discord/callback", async (
             System.Text.Encoding.UTF8.GetBytes(state),
             System.Text.Encoding.UTF8.GetBytes(storedState ?? string.Empty)))
     {
+        logger.LogWarning("Discord OAuth CSRF validation failed. code_present={CodePresent}, state_present={StatePresent}, stored_state_present={StoredStatePresent}",
+            !string.IsNullOrWhiteSpace(code), !string.IsNullOrWhiteSpace(state), !string.IsNullOrWhiteSpace(storedState));
         return Results.Redirect("/login?error=auth_failed");
     }