fix: properly setup CSRF errors

[jonas-jonas]

The current implementation frequently returns errors that seem to contradict itself (reason says "no CSRF cookie sent" and detail says "CSRF cookie found but did not match). The reason is as follows: herodot errors are copied in the WithDetail method, and in theory all operations in that method happen on a new struct. The details field is a map[string]any, of which only the pointer to it is copied in WithDetail, not the actual contents. This means, that calling WithDetail on an existing error, modifies the details field on the original error as well.

And in this specific case, it means that calling WithDetail on ErrInvalidCSRFTokenServer, modifies the details field for all errors that do so, leading to misleading error responses.

Related issue(s)

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments