fix: change SameSite=Strict to SameSite=Lax for session and CSRF cookies (#46)

Safari's ITP blocks Strict cookies on certain navigations (direct URL entry,
reverse proxy context), resulting in a 401 on login even with valid credentials.
Lax is safe: CSRF attacks are prevented by the double-submit token and the
HTTPS-only secure flag. Firefox and Chrome were unaffected.

server/middleware/csrf.js

@@ -33,10 +33,10 @@ function csrfMiddleware(req, res, next) {
     req.session.csrfToken = generateToken();
   }
 
-  // Cookie bei jedem Request erneuern (SameSite=Strict, nicht httpOnly → JS-lesbar)
+  // Cookie bei jedem Request erneuern (SameSite=Lax, nicht httpOnly → JS-lesbar)
   res.cookie('csrf-token', req.session.csrfToken, {
     httpOnly: false,
-    sameSite: 'strict',
+    sameSite: 'lax',
     secure: process.env.SESSION_SECURE !== 'false',
     maxAge: 1000 * 60 * 60 * 24 * 7, // 7 Tage (gleich wie Session)
   });