fix(api): resolve CSRF guard ordering with global AuthGuard (#514)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/api/src/common/guards/csrf.guard.spec.ts

@@ -174,17 +174,19 @@ describe("CsrfGuard", () => {
   });
 
   describe("Session binding validation", () => {
-    it("should reject when user is not authenticated", () => {
+    it("should allow when user context is not yet available (global guard ordering)", () => {
+      // CsrfGuard runs as APP_GUARD before per-controller AuthGuard,
+      // so request.user may not be populated. Double-submit cookie match
+      // is sufficient protection in this case.
       const token = generateValidToken("user-123");
       const context = createContext(
         "POST",
         { "csrf-token": token },
         { "x-csrf-token": token },
         false
-        // No userId - unauthenticated
+        // No userId - AuthGuard hasn't run yet
       );
-      expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
-      expect(() => guard.canActivate(context)).toThrow("CSRF validation requires authentication");
+      expect(guard.canActivate(context)).toBe(true);
     });
 
     it("should reject token from different session", () => {