Do not check JWT_TOKEN_LOCATION when testing if cookie_csrf_protect is enabled

[vimalloc]

Previously, we would only include the csrf double submit value in a jwt if JWT_COOKIE_CSRF_PROTECT was true (the default) AND JWT_TOKEN_LOCATION was configured to use cookies.

However, since we allow overwriting locations on a per-route basis instead of only globally for he whole application, we could create a situation where a single route was configured to use cookies when the rest of the app was not, and csrf checks were not happening against that endpoint.

This change makes it so that any jwts will be encoded with a csrf value when JWT_COOKIE_CSRF_PROTECT is true, regardless of if the app is globally configured to use cookies. It will also verify the csrf double submit token on any route that uses cookies when JWT_COOKIE_CSRF_PROTECT is true, regardless of if that is set globally in the application or on an individual route.

As a result of this change, you might notice that using jwts without cookies now include a csrf value. This will not change the behavior of non-jwt based endpoints at all, your jwts will just be a little bigger. You can remove that key from the jwt by explicitly setting JWT_COOKIE_CSRF_PROTECT to False, if you are not using cookies.