Harden state-changing endpoints by replacing unsafe GETs with POST/DELETE

[Copilot]

Two API routes were mutating state via GET, allowing unintended writes/deletes from crawlers, prefetchers, or embedded links. This PR aligns those routes with correct HTTP verbs and updates the client contract accordingly.

• API verb corrections

  • PrismController.Remove changed from HttpGet to HttpDelete
  • UserController.Get (get-or-create behavior) changed from HttpGet to HttpPost

• Client contract updates

  • BeamApiService.UnPrismRay(...) now calls DeleteAsync(...) instead of GetFromJsonAsync(...)
  • BeamApiService.GetOrCreateUser(...) now calls PostAsync(...) and deserializes response content
  • Added EnsureSuccessStatusCode() on both updated client calls to fail fast on non-2xx responses

• Behavioral impact

  • Removes CSRF-by-GET class risk for prism deletion
  • Prevents passive GET traffic from auto-creating users

// Before
[HttpGet("[action]/{UserId}/{RayId}")]
public List<Ray> Remove(int UserId, int RayId)

// After
[HttpDelete("[action]/{UserId}/{RayId}")]
public List<Ray> Remove(int UserId, int RayId)