test(user): add CSRF failure tests for changePassword and forceLogout endpoints

Adds two @WebMvcTest assertions verifying that POST /api/users/me/password
and POST /api/users/{id}/force-logout without an XSRF-TOKEN header return
403 with code CSRF_TOKEN_MISSING.

Addresses Nora Concern 9 from PR #617 review.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/test/java/org/raddatz/familienarchiv/user/UserControllerTest.java

@@ -191,6 +191,16 @@ class UserControllerTest {
                 .andExpect(status().isUnauthorized());
     }
 
+    @Test
+    @WithMockUser(username = "user@example.com")
+    void changePassword_without_csrf_returns_403_CSRF_TOKEN_MISSING() throws Exception {
+        mockMvc.perform(post("/api/users/me/password")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"currentPassword\":\"old\",\"newPassword\":\"new123!\"}"))
+                .andExpect(status().isForbidden())
+                .andExpect(jsonPath("$.code").value("CSRF_TOKEN_MISSING"));
+    }
+
     // ─── POST /api/users/{id}/force-logout ────────────────────────────────────
 
     @Test
@@ -232,4 +242,12 @@ class UserControllerTest {
         mockMvc.perform(post("/api/users/" + targetId + "/force-logout").with(csrf()))
                 .andExpect(status().isNotFound());
     }
+
+    @Test
+    @WithMockUser(username = "admin@example.com", authorities = "ADMIN_USER")
+    void forceLogout_without_csrf_returns_403_CSRF_TOKEN_MISSING() throws Exception {
+        mockMvc.perform(post("/api/users/" + UUID.randomUUID() + "/force-logout"))
+                .andExpect(status().isForbidden())
+                .andExpect(jsonPath("$.code").value("CSRF_TOKEN_MISSING"));
+    }
 }