fix: allow jwt to work without csrf in config

src/auth/getExtractJWT.ts

@@ -15,7 +15,7 @@ const getExtractJWT = (config: SanitizedConfig) => (req: Request): string | null
     const tokenCookieName = `${config.cookiePrefix}-token`;
 
     if (cookies && cookies[tokenCookieName]) {
-      if (!origin || (config.csrf && config.csrf.indexOf(origin) > -1)) {
+      if (!origin || config.csrf.length === 0 || config.csrf.indexOf(origin) > -1) {
         return cookies[tokenCookieName];
       }
     }

src/config/sanitize.ts

@@ -25,10 +25,9 @@ const sanitizeConfig = (config: Config): SanitizedConfig => {
     sanitizedConfig.globals = sanitizeGlobals(sanitizedConfig.collections, sanitizedConfig.globals);
   }
 
-  sanitizedConfig.csrf = [
-    ...sanitizedConfig.csrf,
-    config.serverURL,
-  ];
+  if (sanitizedConfig.serverURL !== '') {
+    sanitizedConfig.csrf.push(sanitizedConfig.serverURL);
+  }
 
   return sanitizedConfig as SanitizedConfig;
 };