CSRF protection for cookie-based refresh

[geolunalg]

Overview

User Story:
As a system, I want to prevent CSRF attacks on endpoints that rely on cookies.

Action Items

Acceptance Criteria:

• Refresh/logout endpoints are protected by:
  • SameSite cookie settings and/or
  • CSRF token (double submit or header-based)
• Backend rejects refresh requests missing CSRF proof (if implemented).

Resources/Instructions

• This issue is part of the epic: EPIC: Authentication & Session Management (JWT + Refresh) #2065

[geolunalg]

@JackHaeg @trillium @rteas

This is dependent on #2067 and #2068 client (frontend) inplementation portion

Size: L