Fix `Devise::Strategies::PasskeyReauthentication`: keeps CSRF token

[tcannonfodder]

• There was a bug in the reauthentication flow that would reset a session's CSRF token, causing the form to be invalid after reauthenticating.
  • see:
    • https://github.com/ruby-passkeys/devise-passkeys/pull/35
    • https://github.com/ruby-passkeys/devise-passkeys-template/issues/9
  • Devise::Strategies::Authenticatable has a clean_up_csrf? hook, that defaults to true, but can be overridden to retain the CSRF token after each reauthentication (which is what we want to happen in this case)
• Overrode the method in the Reauthentication strategy, and wrote tests to ensure that the CSRF token is valid
  • Have to temporarily enable the forgery proptection for the reauthentication controller concern

This replaces #35

Also major major props to @heliocola for all his work hammering away at this problem, which helped a ton with debugging & finding the eventual solution

[heliocola]

Beautiful solution that you found @tcannonfodder 🚀 I feel like the Android issue will follow the pattern here! :-D