security: reject unissued csrf tokens

[saurabhhhcodes]

Fixes #1657.

What changed

• Added a server-issued token registry in backend/csrf.py so CSRF validation only accepts tokens minted by the app.
• Kept the existing format and constant-time checks, but now reject valid-looking forged tokens that were never issued.
• Added a regression test for a matching cookie/header pair that was not generated by the server.

Why

Double-submit cookie protection should not accept an arbitrary matching token pair. This change closes the token-injection path described in the issue by requiring server issuance before a token can be used.

How to test

• python3 -m py_compile backend/csrf.py tests/test_csrf.py
• Run the CSRF smoke test used during implementation.
• Confirm a server-issued token succeeds and a forged 64-char hex token returns 403.

Validation

• python3 -m py_compile backend/csrf.py tests/test_csrf.py
• Direct middleware smoke test with TestClient
• git diff --check

[github-actions]

🎉 Welcome to Hybrid Recommender, @saurabhhhcodes! This is your first contribution here!

Labels added: gssoc:approved | mentor:leonagoel | status:review-needed

PR Description Checklist:

YES - What changed section
YES - Why section
YES - How to test section
YES - Related issue linked

✅ PR description looks complete!

What happens next:

1. @leonagoel will review your changes
2. CI checks must pass
3. Once approved, this PR will be auto-merged

⏱️ Please respond to review comments within 48 hours.