fix(security): correct CSRF token expiration from nanoseconds to 1 hour (#390)

## Summary

- **Critical security fix**: CSRF token expiration was incorrectly set
to `3600` (interpreted as 3600 nanoseconds = ~3.6 microseconds) instead
of `time.Hour`
- This caused all login attempts to fail with "CSRF token validation
failed" because tokens expired instantly
- Production at https://accessmanager.netresearch.de/login is affected

## Root Cause

```go
// Before (broken) - 3600 nanoseconds = instant expiration
Expiration: 3600, // 1 hour

// After (fixed) - proper 1 hour duration
Expiration: time.Hour,
```

The Fiber CSRF middleware expects a `time.Duration`, but was given an
untyped integer which Go interpreted as nanoseconds.

## Test plan

- [x] Built and tested locally with docker compose
- [x] Verified CSRF tokens are now properly validated
- [x] Ran CSRF-related tests (`go test ./internal/web/... -run CSRF`)

Author: CybotTM

internal/web/server.go

@@ -188,7 +188,7 @@ func createCSRFConfig(opts *options.Opts) *fiber.Handler {
 		CookieSameSite: "Strict",          // Strict for maximum security with proxy trust enabled
 		CookieSecure:   opts.CookieSecure, // Configurable based on HTTPS availability
 		CookieHTTPOnly: true,
-		Expiration:     3600, // 1 hour
+		Expiration:     time.Hour,
 		KeyGenerator:   csrf.ConfigDefault.KeyGenerator,
 		ContextKey:     "token", // Store token in c.Locals("token") for template access
 		ErrorHandler: func(c *fiber.Ctx, err error) error {