Require a CSRF token when GraphQL API is authenticated by anything else than Bearer/Basic

[japsu]

As of 2024-01-12, there is a CSRF possibility in cookie authentication to the GraphQL API. Currently the risk is low as there are very few authenticated resources in the API and they provide very little information. However, we should require a CSRF token when the GraphQL API is authenticated via a cookie, and monkey patch GraphiQL to include the token.

https://outline.con2.fi/doc/graphql-ZKn04xpcvm#h-graphql-playground-session-based-authentication