refactor: Phase 1 code cleanup - constants, logging, and repository organization

dashcaddy-api/csrf-protection.js

@@ -120,13 +120,15 @@ function csrfValidationMiddleware(req, res, next) {
   const excludedPaths = [
     '/api/totp/verify',
     '/api/totp/verify-setup',
+    '/api/totp/setup',
     '/health',
     '/api/health'
   ];
 
-  // Check if path starts with excluded prefix
-  const isExcluded = excludedPaths.some(path => req.path === path) ||
-                     req.path.startsWith('/api/auth/gate/');
+  // Normalize /api/v1/... to /api/... so exclusions work with both prefixes
+  const normalizedPath = req.path.replace(/^\/api\/v1\//, '/api/');
+  const isExcluded = excludedPaths.some(path => normalizedPath === path) ||
+                     normalizedPath.startsWith('/api/auth/gate/');
 
   if (isExcluded) {
     return next();