fix: resolve iOS PWA session/CSRF issues causing forbidden errors

- Renew CSRF cookie on /auth/me (first call after iOS PWA resume)
- Add try-catch + hex validation to CSRF middleware for corrupted tokens
- Auto-retry state-changing requests on 403 by refreshing CSRF token
- Add 200ms delay before SW controllerchange reload to prevent blank page on iOS

server/middleware/csrf.js

@@ -51,13 +51,20 @@ function csrfMiddleware(req, res, next) {
   const sessionToken  = req.session.csrfToken;
   const expectedLen   = TOKEN_LENGTH * 2; // 64 Hex-Zeichen
 
-  const tokenValid =
-    headerToken.length === expectedLen &&
-    sessionToken.length === expectedLen &&
-    crypto.timingSafeEqual(
-      Buffer.from(headerToken,  'hex'),
-      Buffer.from(sessionToken, 'hex')
-    );
+  let tokenValid = false;
+  try {
+    tokenValid =
+      headerToken.length === expectedLen &&
+      sessionToken.length === expectedLen &&
+      // Nur valides Hex vergleichen (iOS kann Cookies korrumpieren)
+      /^[0-9a-f]+$/i.test(headerToken) &&
+      crypto.timingSafeEqual(
+        Buffer.from(headerToken,  'hex'),
+        Buffer.from(sessionToken, 'hex')
+      );
+  } catch {
+    // Buffer-Fehler bei korruptem Token - tokenValid bleibt false
+  }
 
   if (!tokenValid) {
     return res.status(403).json({ error: 'Ungültiges CSRF-Token.', code: 403 });