security: add global AutoValidateAntiforgeryToken filter (#1059)

## Summary

Adds a global `AutoValidateAntiforgeryTokenAttribute` filter to all MVC
controller actions, resolving the long-standing TODO comment in
`Program.cs`.

## What changed

Replaced the TODO comment with an explicit `AddControllersWithViews`
registration:

```csharp
builder.Services.AddControllersWithViews(options =>
{
    options.Filters.Add(new Microsoft.AspNetCore.Mvc.AutoValidateAntiforgeryTokenAttribute());
});
```

## Why

This was identified during an OWASP .NET Security Cheat Sheet alignment
review. The [Microsoft docs explicitly
recommend](https://learn.microsoft.com/aspnet/core/security/anti-request-forgery#generate-antiforgery-tokens-with-iantiforgery)
applying `AutoValidateAntiforgeryToken` globally for non-API scenarios:

> "It's more likely in this scenario for a POST action method to be left
unprotected by mistake, leaving the app vulnerable to CSRF attacks."

## Context

- **Razor Pages** (Identity, login, register, etc.) are already
auto-protected — no change needed there.
- **API controllers** (Chat, MCP) use bearer token auth, so CSRF does
not apply to them. They can use `[IgnoreAntiforgeryToken]` if needed.
- `AddControllersWithViews` coexists cleanly with the existing
`AddRazorPages()` — this is the standard pattern for mixed MVC + Razor
Pages apps.

## Risk

Low. The only impact would be if an MVC controller POST action is called
without a valid antiforgery token — which would only affect requests
that are already missing CSRF protection (i.e., exactly the scenario
this fixes).

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: BenjaminMichaelis <22186029+BenjaminMichaelis@users.noreply.github.com>

Author: BenjaminMichaelis

EssentialCSharp.Web/Controllers/ChatController.cs

@@ -10,6 +10,7 @@ namespace EssentialCSharp.Web.Controllers;
 [Route("api/[controller]")]
 [Authorize]
 [EnableRateLimiting("ChatEndpoint")]
+[IgnoreAntiforgeryToken]
 public partial class ChatController : ControllerBase
 {
     private readonly AIChatService _AiChatService;

EssentialCSharp.Web/Controllers/McpTokenController.cs

@@ -9,6 +9,7 @@ namespace EssentialCSharp.Web.Controllers;
 [Route("api/[controller]")]
 [Authorize]
 [ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)]
+[IgnoreAntiforgeryToken]
 public class McpTokenController(McpApiTokenService tokenService) : ControllerBase
 {
     public record CreateTokenRequest(string? Name, DateOnly? ExpiresOn = null);

EssentialCSharp.Web/Program.cs

@@ -232,7 +232,10 @@ private static void Main(string[] args)
             throw new NotSupportedException("The default UI requires a user store with password support.");
         });
 
-        //TODO: Implement the anti-forgery token with every POST/PUT request: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery
+        builder.Services.AddControllersWithViews(options =>
+        {
+            options.Filters.Add(new Microsoft.AspNetCore.Mvc.AutoValidateAntiforgeryTokenAttribute());
+        });
 
         if (!builder.Environment.IsDevelopment())
         {