fix: resolve iOS PWA session/CSRF issues causing forbidden errors

- Renew CSRF cookie on /auth/me (first call after iOS PWA resume)
- Add try-catch + hex validation to CSRF middleware for corrupted tokens
- Auto-retry state-changing requests on 403 by refreshing CSRF token
- Add 200ms delay before SW controllerchange reload to prevent blank page on iOS

public/api.js

@@ -22,7 +22,7 @@ function getCsrfToken() {
  * @param {RequestInit} options - Fetch-Optionen
  * @returns {Promise<any>} Geparstes JSON oder wirft einen Fehler
  */
-async function apiFetch(path, options = {}) {
+async function apiFetch(path, options = {}, _retried = false) {
   const url = `${API_BASE}${path}`;
 
   const method = options.method ?? 'GET';
@@ -45,6 +45,13 @@ async function apiFetch(path, options = {}) {
     throw new Error('Sitzung abgelaufen.');
   }
 
+  // CSRF-Token-Desync (haeufig nach iOS-PWA-Resume): einmal GET /auth/me
+  // ausfuehren um den CSRF-Cookie zu erneuern, dann den Request wiederholen.
+  if (response.status === 403 && stateChanging && !_retried) {
+    await fetch(`${API_BASE}/auth/me`, { credentials: 'same-origin', cache: 'no-store' });
+    return apiFetch(path, options, true);
+  }
+
   const data = await response.json().catch(() => null);
 
   if (!response.ok) {