Harden CSRF/CSP and add hash version upgrades

GameList.Tests/AuthTests.cs

@@ -107,6 +107,37 @@ public class AuthTests
         });
     }
 
+    [Fact]
+    public async Task Login_upgrades_legacy_password_hash_version()
+    {
+        await using var factory = new TestWebApplicationFactory();
+        var client = factory.CreateClientWithCookies();
+        await client.RegisterAsync("rehashme");
+
+        byte[] originalHash = [];
+        await factory.WithDbContextAsync(async db =>
+        {
+            var player = await db.Players.SingleAsync();
+            var (legacyHash, legacySalt) = PasswordHasher.HashPassword("Pass123!", PasswordHasher.LegacyVersion);
+
+            originalHash = legacyHash.ToArray();
+            player.PasswordHash = legacyHash;
+            player.PasswordSalt = legacySalt;
+            player.PasswordHashVersion = PasswordHasher.LegacyVersion;
+            await db.SaveChangesAsync();
+        });
+
+        var login = await client.LoginAsync("rehashme", "Pass123!");
+        login.EnsureSuccessStatusCode();
+
+        await factory.WithDbContextAsync(async db =>
+        {
+            var player = await db.Players.AsNoTracking().SingleAsync();
+            Assert.Equal(PasswordHasher.CurrentVersion, player.PasswordHashVersion);
+            Assert.False(player.PasswordHash.SequenceEqual(originalHash));
+        });
+    }
+
     [Fact]
     public async Task Register_with_admin_key_sets_admin_flag()
     {