Multiple url support

[schmurtzm]

This PR adds multiple allowed origins for CSRF protection, making it possible to access the application from several URLs (such as a domain name and a local IP address).
It achieves this by adding a new ALLOWED_ORIGINS environment variable, implementing custom CSRF verification logic that checks requests against this list (it also includes updated documentation and configuration accordingly).

CSRF Protection & Allowed Origins:

• Added support for specifying multiple allowed origins via a new ALLOWED_ORIGINS environment variable, and implemented helper functions (isAllowedOrigin, getAllowedOrigins) to parse and validate origins in src/lib/server/auth.ts.
• Replaced SvelteKit's default CSRF protection with a custom hook (csrfProtection) in src/hooks.server.ts that checks incoming requests' origins against the allowed list, and combined it with the main handler using sequence.
• Disabled SvelteKit's built-in CSRF origin checking in svelte.config.js to avoid conflicts with the new custom implementation.

Documentation & Configuration:

• Updated .env.example and README.md to document the new ALLOWED_ORIGINS variable and provide usage examples.
• Enabled the Vite dev server to listen on all network interfaces (host: true) in vite.config.ts, making local network access easier for development and testing.

[cmintey]

I don't really understand why this change is needed? I don't love turning off the built in CSRF protection for a home baked one

[cmintey]

This is not needed. You can run the dev server with the --host option

[schmurtzm]

I wanted to be able to access thru my reverse proxy but also locally.
At least, if you put your website offline (for example, by disabling your reverse proxy,) you can still access to it.

By the way, when you fail the configuration of the url, if you start the account configuration, then after that you have to delete all the data, you wont be able to register again even if you modify the url.