CSRF blacklist and whitelist not working as expected for multiple endpoints.

[gladchinda]

I am currently working with a package that uses lusca for CSRF protection and discovered that blacklisting and whitelisting does not work as expected when I pass an array of more than 1 endpoints. However, if a string or an array with just 1 endpoint is passed, it works as expected.

Here is a simple scenario from my app:

This works as expected

expressApp.use(lusca.csrf({
  blacklist: ['/hooks/user_created']
}));

This doesn't work as expected

expressApp.use(lusca.csrf({
  blacklist: [
    '/hooks/user_created',
    '/hooks/user_profile_updated',
    '/hooks/email_delivered'
  ]
}));

[linkRace]

Fixed in #121