fix: resolve iOS forbidden errors by delivering CSRF token in response body

iOS Safari (especially PWA/standalone mode) unreliably exposes cookies
via document.cookie, causing CSRF token mismatch on state-changing
requests. The CSRF token is now included in /auth/login and /auth/me
response bodies and stored in-memory on the client. Cookie remains as
fallback. Retry mechanism also improved to read token from response
body and handle expired sessions.

server/auth.js

@@ -209,6 +209,7 @@ router.post('/login', loginLimiter, async (req, res) => {
           avatar_color: user.avatar_color,
           role: user.role,
         },
+        csrfToken: req.session.csrfToken,
       });
     });
   } catch (err) {
@@ -260,7 +261,7 @@ router.get('/me', requireAuth, (req, res) => {
       maxAge: 1000 * 60 * 60 * 24 * 7,
     });
 
-    res.json({ user });
+    res.json({ user, csrfToken: req.session.csrfToken });
   } catch (err) {
     log.error('/me Fehler:', err);
     res.status(500).json({ error: 'Interner Serverfehler.', code: 500 });