fix(csrf): use generateCsrfToken with more "user friendly" settings

fixes the case, where existing TriliumNext users, will get
a "Invalid CSRF Token" Message, when they have an older
_csrf token in their cookies from a previous installation/visit.
the settings now will handle these cases in the background automatically.

also fixes #950

src/routes/index.ts

@@ -11,6 +11,8 @@ import protectedSessionService from "../services/protected_session.js";
 import packageJson from "../../package.json" with { type: "json" };
 import assetPath from "../services/asset_path.js";
 import appPath from "../services/app_path.js";
+import { generateToken as generateCsrfToken } from "./csrf_protection.js";
+
 import type { Request, Response } from "express";
 import type BNote from "../becca/entities/bnote.js";
 
@@ -19,7 +21,9 @@ function index(req: Request, res: Response) {
 
     const view = !utils.isElectron() && req.cookies["trilium-device"] === "mobile" ? "mobile" : "desktop";
 
-    const csrfToken = (typeof req.csrfToken === "function") ? req.csrfToken() : undefined;
+    //'overwrite' set to false (default) => the existing token will be re-used and validated
+    //'validateOnReuse' set to false => if validation fails, generate a new token instead of throwing an error
+    const csrfToken = generateCsrfToken(req, res, false, false);
     log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader("set-cookie")}`);
 
     // We force the page to not be cached since on mobile the CSRF token can be