fix: enforce authorization on login refresh and logout endpoints

Author: ChaosEngine

src/IdentityManager2/Api/Controllers/PageController.cs

@@ -12,6 +12,7 @@ namespace IdentityManager2.Api.Controllers
 {
     [SecurityHeaders]
     [ResponseCache(NoStore = true, Location = ResponseCacheLocation.None)]
+    [Authorize(IdentityManagerConstants.IdMgrAuthPolicy)]
     public class PageController : Controller
     {
         private readonly IdentityManagerOptions config;
@@ -56,7 +57,6 @@ public async Task<IActionResult> Login()
         }
 
         [HttpGet]
-        [AllowAnonymous]
         [Route("api/login/refresh")]
         public async Task<IActionResult> Refresh()
         {
@@ -71,7 +71,6 @@ public async Task<IActionResult> Refresh()
         }
 
         [HttpGet]
-        [AllowAnonymous]
         [Route("api/logout", Name = IdentityManagerConstants.RouteNames.Logout)]
         public async Task<IActionResult> Logout()
         {