feat: implement Phase 1 (auth) and Phase 2 (faves CRUD) foundation

Go backend with server-rendered HTML/HTMX frontend, SQLite database,
and filesystem image storage. Self-hostable single-binary architecture.

Phase 1 — Authentication & project foundation:
- Argon2id password hashing with timing-attack prevention
- Session management with cookie-based auth and periodic cleanup
- Login, signup (open/requests/closed modes), logout, forced password reset
- CSRF double-submit cookie pattern with HTMX auto-inclusion
- Proxy-aware real IP extraction (WireGuard/Tailscale support)
- Configurable base path for subdomain and subpath deployment
- Rate limiting on auth endpoints with background cleanup
- Security headers (CSP, X-Frame-Options, Referrer-Policy)
- Structured logging with slog, graceful shutdown
- Pico CSS + HTMX vendored and embedded via go:embed

Phase 2 — Faves CRUD with tags and images:
- Full CRUD for favorites with ownership checks
- Image upload with EXIF stripping, resize to 1920px, UUID filenames
- Tag system with HTMX autocomplete (prefix search, popularity-sorted)
- Privacy controls (public/private per fave, user-configurable default)
- Tag browsing, pagination, batch tag loading (avoids N+1)
- OpenGraph meta tags on public fave detail pages

Includes code quality pass: extracted shared helpers, fixed signup
request persistence bug, plugged rate limiter memory leak, removed
dead code, and logged previously-swallowed errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/middleware/csrf.go

@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"net/http"
+	"strings"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+)
+
+const (
+	csrfCookieName = "csrf_token"
+	csrfFormField  = "csrf_token"
+	csrfHeaderName = "X-CSRF-Token"
+)
+
+// CSRFProtection implements double-submit cookie pattern for CSRF prevention.
+// A token is stored in a cookie and must also be submitted in a form field
+// or header on state-changing requests (POST, PUT, DELETE, PATCH).
+func CSRFProtection(cfg *config.Config) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Read or generate the CSRF token.
+			token := ""
+			if cookie, err := r.Cookie(csrfCookieName); err == nil {
+				token = cookie.Value
+			}
+			if token == "" {
+				token = generateCSRFToken()
+				secure := IsSecureRequest(r, cfg)
+				http.SetCookie(w, &http.Cookie{
+					Name:     csrfCookieName,
+					Value:    token,
+					Path:     "/",
+					HttpOnly: false, // JS needs to read it for HTMX hx-headers
+					Secure:   secure,
+					SameSite: http.SameSiteLaxMode,
+				})
+			}
+
+			// Attach token to context for templates.
+			ctx := context.WithValue(r.Context(), csrfTokenKey, token)
+			r = r.WithContext(ctx)
+
+			// Validate on state-changing methods.
+			if isStateChangingMethod(r.Method) {
+				// Skip CSRF check for API routes that use Bearer auth (future).
+				if !strings.HasPrefix(r.URL.Path, "/api/") {
+					submitted := r.FormValue(csrfFormField)
+					if submitted == "" {
+						submitted = r.Header.Get(csrfHeaderName)
+					}
+					if submitted != token {
+						http.Error(w, "CSRF token mismatch", http.StatusForbidden)
+						return
+					}
+				}
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+func isStateChangingMethod(method string) bool {
+	switch method {
+	case http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodPatch:
+		return true
+	}
+	return false
+}
+
+func generateCSRFToken() string {
+	b := make([]byte, 32)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+// IsSecureRequest determines if the original client request used HTTPS,
+// checking X-Forwarded-Proto from trusted proxies.
+func IsSecureRequest(r *http.Request, cfg *config.Config) bool {
+	if cfg.ExternalURL != "" {
+		return strings.HasPrefix(cfg.ExternalURL, "https://")
+	}
+	if proto := r.Header.Get("X-Forwarded-Proto"); proto != "" {
+		return proto == "https"
+	}
+	return r.TLS != nil
+}