Add CSRF protection to state-changing POST endpoints

Add gorilla/csrf middleware to protect all HTML-serving routes against
cross-site request forgery attacks. The webhook endpoint is excluded
since it uses secret-based authentication.

Changes:
- Add gorilla/csrf v1.7.3 dependency
- Add CSRF() middleware method using session secret as key
- Apply CSRF middleware to all HTML route groups in routes.go
- Pass CSRF token to all templates via addGlobals helper
- Add {{ .CSRFField }} / {{ $.CSRFField }} hidden inputs to all forms

Closes #11

internal/handlers/auth.go

@@ -10,8 +10,8 @@ import (
 func (h *Handlers) HandleLoginGET() http.HandlerFunc {
 	tmpl := templates.GetParsed()
 
-	return func(writer http.ResponseWriter, _ *http.Request) {
-		data := h.addGlobals(map[string]any{})
+	return func(writer http.ResponseWriter, request *http.Request) {
+		data := h.addGlobals(map[string]any{}, request)
 
 		err := tmpl.ExecuteTemplate(writer, "login.html", data)
 		if err != nil {
@@ -38,7 +38,7 @@ func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
 
 		data := h.addGlobals(map[string]any{
 			"Username": username,
-		})
+		}, request)
 
 		if username == "" || password == "" {
 			data["Error"] = "Username and password are required"