feat(security): use bcrypt hashes and safe paths for boxes

- Replace legacy salted password hashing with bcrypt and store hash alg
- Accept existing bcrypt hashes while keeping legacy verification fallback
- Validate box IDs and use SafeChildPath for box/file operations to prevent traversal
- Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip writefeat(security): use bcrypt hashes and safe paths for boxes

- Replace legacy salted password hashing with bcrypt and store hash alg
- Accept existing bcrypt hashes while keeping legacy verification fallback
- Validate box IDs and use SafeChildPath for box/file operations to prevent traversal
- Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip write

templates/admin.html

@@ -20,12 +20,13 @@
                 </header>
                 <div class="win98-panel admin-panel">
                     <nav class="admin-nav">
-                        <span>Signed in as {{ .CurrentUser }}</span>
-                        <span class="admin-spacer"></span>
-                        <form action="/admin/logout" method="post">
-                            <button class="win98-button" type="submit">Logout</button>
-                        </form>
-                    </nav>
+						<span>Signed in as {{ .CurrentUser }}</span>
+						<span class="admin-spacer"></span>
+						<form action="/admin/logout" method="post">
+							<input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+							<button class="win98-button" type="submit">Logout</button>
+						</form>
+					</nav>
                     <div class="admin-grid">
                         <a class="win98-panel admin-link" href="/admin/boxes"><strong>Boxes</strong></a>
                         <a class="win98-panel admin-link" href="/admin/users"><strong>Users</strong></a>