Add CSRF protection to state-changing POST endpoints

Add gorilla/csrf middleware to protect all HTML-serving routes against
cross-site request forgery attacks. The webhook endpoint is excluded
since it uses secret-based authentication.

Changes:
- Add gorilla/csrf v1.7.3 dependency
- Add CSRF() middleware method using session secret as key
- Apply CSRF middleware to all HTML route groups in routes.go
- Pass CSRF token to all templates via addGlobals helper
- Add {{ .CSRFField }} / {{ $.CSRFField }} hidden inputs to all forms

Closes #11

internal/middleware/middleware.go

@@ -10,6 +10,7 @@ import (
 	"github.com/99designs/basicauth-go"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
+	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
 
 	"git.eeqj.de/sneak/upaas/internal/config"
@@ -152,6 +153,15 @@ func (m *Middleware) SessionAuth() func(http.Handler) http.Handler {
 	}
 }
 
+// CSRF returns CSRF protection middleware using gorilla/csrf.
+func (m *Middleware) CSRF() func(http.Handler) http.Handler {
+	return csrf.Protect(
+		[]byte(m.params.Config.SessionSecret),
+		csrf.Secure(false), // Allow HTTP for development; reverse proxy handles TLS
+		csrf.Path("/"),
+	)
+}
+
 // SetupRequired returns middleware that redirects to setup if no user exists.
 func (m *Middleware) SetupRequired() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {