fix(csrfMiddleware): use sessionSecret instead

since `cookie-parser` is not configured with a secret,
req.secret is not set and hence is `undefined`,
which then is used as literal 'undefined' in the hashing function – making it less secure.

Instead we can use the existing sessionSecret:
the `csrf-csrf` developer confirmed in their Discord chat,
that it would be ok to use the same secret here.

src/routes/routes.ts

@@ -15,6 +15,7 @@ import rateLimit from "express-rate-limit";
 import AbstractBeccaEntity from "../becca/entities/abstract_becca_entity.js";
 import NotFoundError from "../errors/not_found_error.js";
 import ValidationError from "../errors/validation_error.js";
+import sessionSecret from "../services/session_secret.js";
 
 // page routes
 import setupRoute from "./setup.js";
@@ -72,7 +73,7 @@ import etapiSpecRoute from "../etapi/spec.js";
 import etapiBackupRoute from "../etapi/backup.js";
 
 const { doubleCsrfProtection: csrfMiddleware } = doubleCsrf({
-  getSecret: (req) => req.secret,
+  getSecret: () => sessionSecret,
   cookieOptions: {
     path: "",       // empty, so cookie is valid only for the current path
     secure: false,