Fix(Security): Overhaul CSRF validation lifecycle and secure POST actions
Fixed:
- Fixed CSRF token generation timing. New tokens are now exclusively generated during the response phase (
generateResponse,generateResponseWithAttr,generateJsonResponse) rather than immediately upon request arrival. This fixes the bug where valid POST requests were rejected, while maintaining robust protection against F5 double-submits. - Centralized the CSRF error validation check at the top of
handlePost(). This automatically secures all built-in actions (submit,delete) and custom handler logic (handleExtraConfigs) out-of-the-box. - Improved error handling by automatically appending the
csrfErrorrequest attribute to the handler's error messages before rendering the default response.