refactor: replace custom CSRF and rate-limiting with off-the-shelf libraries

Replace custom CSRF middleware with gorilla/csrf and custom rate-limiting
middleware with go-chi/httprate, as requested in code review.

CSRF changes:
- Replace session-based CSRF tokens with gorilla/csrf cookie-based
  double-submit pattern (HMAC-authenticated cookies)
- Keep same form field name (csrf_token) for template compatibility
- Keep same route exclusions (webhook/API routes)
- In dev mode, mark requests as plaintext HTTP to skip Referer check

Rate limiting changes:
- Replace custom token-bucket rate limiter with httprate sliding-window
  counter (per-IP, 5 POST requests/min on login endpoint)
- Remove custom IP extraction (httprate.KeyByRealIP handles
  X-Forwarded-For, X-Real-IP, True-Client-IP)
- Remove custom cleanup goroutine (httprate manages its own state)

Kept as-is:
- SSRF prevention code (internal/delivery/ssrf.go) — application-specific
- CSRFToken() wrapper function — handlers unchanged

Updated README security section and architecture overview to reflect
library choices.

internal/middleware/csrf.go

@@ -1,102 +1,56 @@
 package middleware
 
 import (
-	"context"
-	"crypto/rand"
-	"crypto/subtle"
-	"encoding/hex"
 	"net/http"
+
+	"github.com/gorilla/csrf"
 )
 
-const (
-	// csrfTokenLength is the byte length of generated CSRF tokens.
-	// 32 bytes = 64 hex characters, providing 256 bits of entropy.
-	csrfTokenLength = 32
-
-	// csrfSessionKey is the session key where the CSRF token is stored.
-	csrfSessionKey = "csrf_token"
-
-	// csrfFormField is the HTML form field name for the CSRF token.
-	csrfFormField = "csrf_token"
-)
-
-// csrfContextKey is the context key type for CSRF tokens.
-type csrfContextKey struct{}
-
 // CSRFToken retrieves the CSRF token from the request context.
-// Returns an empty string if no token is present.
+// Returns an empty string if the gorilla/csrf middleware has not run.
 func CSRFToken(r *http.Request) string {
-	if token, ok := r.Context().Value(csrfContextKey{}).(string); ok {
-		return token
-	}
-	return ""
+	return csrf.Token(r)
 }
 
-// CSRF returns middleware that provides CSRF protection for state-changing
-// requests. For every request, it ensures a CSRF token exists in the
-// session and makes it available via the request context. For POST, PUT,
-// PATCH, and DELETE requests, it validates the submitted csrf_token form
-// field against the session token. Requests with an invalid or missing
+// CSRF returns middleware that provides CSRF protection using the
+// gorilla/csrf library. The middleware uses the session authentication
+// key to sign a CSRF cookie and validates a masked token submitted via
+// the "csrf_token" form field (or the "X-CSRF-Token" header) on
+// POST/PUT/PATCH/DELETE requests. Requests with an invalid or missing
 // token receive a 403 Forbidden response.
+//
+// In development mode, requests are marked as plaintext HTTP so that
+// gorilla/csrf skips the strict Referer-origin check (which is only
+// meaningful over TLS).
 func (m *Middleware) CSRF() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			sess, err := m.session.Get(r)
-			if err != nil {
-				m.log.Error("csrf: failed to get session", "error", err)
-				http.Error(w, "Forbidden", http.StatusForbidden)
-				return
-			}
+	protect := csrf.Protect(
+		m.session.GetKey(),
+		csrf.FieldName("csrf_token"),
+		csrf.Secure(!m.params.Config.IsDev()),
+		csrf.SameSite(csrf.SameSiteLaxMode),
+		csrf.Path("/"),
+		csrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			m.log.Warn("csrf: token validation failed",
+				"method", r.Method,
+				"path", r.URL.Path,
+				"remote_addr", r.RemoteAddr,
+				"reason", csrf.FailureReason(r),
+			)
+			http.Error(w, "Forbidden - invalid CSRF token", http.StatusForbidden)
+		})),
+	)
 
-			// Ensure a CSRF token exists in the session
-			token, ok := sess.Values[csrfSessionKey].(string)
-			if !ok {
-				token = ""
-			}
-			if token == "" {
-				token, err = generateCSRFToken()
-				if err != nil {
-					m.log.Error("csrf: failed to generate token", "error", err)
-					http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-					return
-				}
-				sess.Values[csrfSessionKey] = token
-				if saveErr := m.session.Save(r, w, sess); saveErr != nil {
-					m.log.Error("csrf: failed to save session", "error", saveErr)
-					http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-					return
-				}
-			}
-
-			// Store token in context for templates
-			ctx := context.WithValue(r.Context(), csrfContextKey{}, token)
-			r = r.WithContext(ctx)
-
-			// Validate token on state-changing methods
-			switch r.Method {
-			case http.MethodPost, http.MethodPut, http.MethodPatch, http.MethodDelete:
-				submitted := r.FormValue(csrfFormField)
-				if subtle.ConstantTimeCompare([]byte(submitted), []byte(token)) != 1 {
-					m.log.Warn("csrf: token mismatch",
-						"method", r.Method,
-						"path", r.URL.Path,
-						"remote_addr", r.RemoteAddr,
-					)
-					http.Error(w, "Forbidden - invalid CSRF token", http.StatusForbidden)
-					return
-				}
-			}
-
-			next.ServeHTTP(w, r)
-		})
+	// In development (plaintext HTTP), signal gorilla/csrf to skip
+	// the strict TLS Referer check by injecting the PlaintextHTTP
+	// context key before the CSRF handler sees the request.
+	if m.params.Config.IsDev() {
+		return func(next http.Handler) http.Handler {
+			csrfHandler := protect(next)
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				csrfHandler.ServeHTTP(w, csrf.PlaintextHTTPRequest(r))
+			})
+		}
 	}
-}
 
-// generateCSRFToken creates a cryptographically random hex-encoded token.
-func generateCSRFToken() (string, error) {
-	b := make([]byte, csrfTokenLength)
-	if _, err := rand.Read(b); err != nil {
-		return "", err
-	}
-	return hex.EncodeToString(b), nil
+	return protect
 }