fix: resolve iOS PWA session/CSRF issues causing forbidden errors

- Renew CSRF cookie on /auth/me (first call after iOS PWA resume)
- Add try-catch + hex validation to CSRF middleware for corrupted tokens
- Auto-retry state-changing requests on 403 by refreshing CSRF token
- Add 200ms delay before SW controllerchange reload to prevent blank page on iOS

server/auth.js

@@ -247,6 +247,19 @@ router.get('/me', requireAuth, (req, res) => {
       return res.status(401).json({ error: 'Benutzer nicht gefunden.', code: 401 });
     }
 
+    // CSRF-Token erneuern falls vorhanden (wichtig fuer iOS-PWA-Resume:
+    // iOS kann den CSRF-Cookie verwerfen waehrend die Session-Cookie erhalten bleibt.
+    // /me ist der erste API-Call nach App-Resume, also hier den Cookie wiederherstellen.)
+    if (!req.session.csrfToken) {
+      req.session.csrfToken = generateToken();
+    }
+    res.cookie('csrf-token', req.session.csrfToken, {
+      httpOnly: false,
+      sameSite: 'lax',
+      secure: process.env.SESSION_SECURE !== 'false',
+      maxAge: 1000 * 60 * 60 * 24 * 7,
+    });
+
     res.json({ user });
   } catch (err) {
     log.error('/me Fehler:', err);