fix: service edit, CSRF token stability, and license restore (v1.1.1)

- Fix service edit double-write bug (was creating duplicate entries)
- Add editable display name field to service edit modal
- Backend update endpoint now accepts name, logo, and recalculates url
- Fix CSRF token regeneration breaking all POST requests (nonce was
  being regenerated on every request, invalidating cached tokens)
- CSRF nonce now persists across requests, rotated only on TOTP login
- Frontend secureFetch auto-retries on CSRF failure with fresh token
- Restore lifetime license activation on DNS2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

dashcaddy-api/csrf-protection.js

@@ -49,31 +49,56 @@ function parseCookie(cookieHeader) {
 }
 
 /**
- * Middleware to set CSRF cookie on all requests.
- * Always generates a fresh nonce server-side (never trusts client-supplied values).
- * The cookie holds the nonce; JavaScript must read it and send the HMAC signature
- * in the x-csrf-token header. The /api/csrf-token endpoint provides the signature.
+ * Middleware to set CSRF cookie on requests.
+ * Preserves existing nonce to avoid invalidating tokens the client has cached.
+ * New nonce is generated only on first visit (no cookie) or after TOTP login
+ * (which calls renewCSRFToken). If TOTP is disabled, the nonce is set once
+ * and never changes.
  */
 function csrfCookieMiddleware(req, res, next) {
-  // Always generate a fresh server-side nonce
-  const csrfNonce = generateToken();
+  const cookies = parseCookie(req.headers.cookie);
+  const existingNonce = cookies[CSRF_COOKIE_NAME];
+
+  // Reuse existing nonce; only generate fresh if no cookie exists yet
+  const csrfNonce = existingNonce || generateToken();
 
   // Store nonce + signature on request so endpoints can access them
   req.csrfToken = signToken(csrfNonce);
   req.csrfNonce = csrfNonce;
 
-  // Set cookie with the nonce (SameSite=Strict for additional protection)
-  res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
-    httpOnly: false, // Must be readable by JavaScript for signing
-    secure: req.secure || req.protocol === 'https', // Only secure in HTTPS
-    sameSite: 'strict',
-    path: '/',
-    maxAge: 24 * 60 * 60 * 1000 // 24 hours
-  });
+  // Only set cookie if it's new (avoids unnecessary Set-Cookie headers)
+  if (!existingNonce) {
+    res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
+      httpOnly: false, // Must be readable by JavaScript for signing
+      secure: req.secure || req.protocol === 'https',
+      sameSite: 'strict',
+      path: '/',
+      maxAge: 365 * 24 * 60 * 60 * 1000 // 1 year (effectively permanent)
+    });
+  }
 
   next();
 }
 
+/**
+ * Generate a fresh CSRF nonce and set it on the response.
+ * Called after TOTP login to rotate the token for the new session.
+ * @param {Object} res - Express response object
+ * @param {boolean} secure - Whether to set Secure flag on cookie
+ * @returns {string} The new CSRF signed token
+ */
+function renewCSRFToken(res, secure) {
+  const csrfNonce = generateToken();
+  res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
+    httpOnly: false,
+    secure: !!secure,
+    sameSite: 'strict',
+    path: '/',
+    maxAge: 365 * 24 * 60 * 60 * 1000
+  });
+  return signToken(csrfNonce);
+}
+
 /**
  * Middleware to validate CSRF token on state-changing requests
  * Validates that the token in the cookie matches the token in the header
@@ -174,5 +199,6 @@ module.exports = {
   signToken,
   parseCookie,
   csrfCookieMiddleware,
-  csrfValidationMiddleware
+  csrfValidationMiddleware,
+  renewCSRFToken
 };