Fix token caching if secret is not changed

[slavamuravey]

The middleware invokes on every request, so, the token variable recreated on every request and token is regenerated every time. We need to hold the token outside of the middleware function.

[dougwilson]

Hello, and thank you for your PR. Unfortunately this breaks the security of this module, in that your change will give every user the exact same token. Users cannot know each other's token in order to prevent cross-site request forgery; a token must be kept secret for each user.

You can see this with your change by running it and opening two different web browsers and observing the token is the same between two different web browsers.

If you are having an issue, please open an issue with what is going wrong and how to reproduce the issue so we can help investigation and we can always help come up with an appropriate fix.