Obtaining a valid CSRF

[robinbeatty]

Just wanted to some advice on how I would go about obtaining a valid CSRF for an authenticated user?

I need to hit some craft factory actions and some custom endpoint validated by CSRF from a headless application in which the user is authenticated by your plugin.

Have tried appending a CSRF token to the JWT payload like this:

`
public function addJwtClaims(JwtCreateEvent $event)
{
$builder = $event->builder;

    $request = Craft::$app->getRequest();
    $csrfToken = $request->getCsrfToken();
    $csrfIsValidForUser = $request->validateCsrfToken($csrfToken);
    $builder->withClaim('csrf_token', $csrfToken);
    $builder->withClaim('csrf_token_valid', $csrfIsValidForUser); // true in all cases
}

...

Event::on(
        TokenService::class,
        TokenService::EVENT_BEFORE_CREATE_JWT,
        [$this, 'addJwtClaims']
    );

`

I then decode the base64 JWT and retrieve the token.

When I use this token in the req headers (X-CSRF-Token) it won't validate (Bad request etc).

Have also tried explicitly returning just the token from a separate endpoint (actionGetCsrf) which gives me a different token but still not valid.

Any advice? Feel like there's a crucial part of the puzzle I'm missing...
Thanks

Craft 4.9.5

[robinbeatty]

Have also noticed that the token obtained by either of these methods is a bit shorter than a token that might get rendered in the CP.

Example CP token:
lCaJegjXepVVPawN6VAFCl9dxHx56cX37pG-kW3BeHlTEZR-Wo1QBW6ZUuUj21Vi99tZEiG5retiMzeB2SUl2GCRpVuQwjIT2p0rvO8sJ1J1CeHQ__9d0VKVEBMagoSaCSYcXSzDs8PZ7e0J8Q5tbjW1dblqsTDsD5dOcwwSYJmNHAv4SyX_ydOgP1YFFPrIptbQ-XDmEVq0IOwHW-Jk0BdJZhsPkRELh5GlhcSI-huoCTsrfMFJKL0AdRL9ZdARujYBwb9vcRfcnNIBAgO46hER61LzxDmipgEm76RPjNtNQWpMONS2nslvt2LxJiJ_4LysaxB_PBn3h_fogLtmmlwONEznE_cDiHegY9McJmFgDs3fd17OIFOWuJHYUgMyZsqY1qrh

Example token returned by Craft::$app->getRequest()->getCsrfToken():
DS2ZbvN898b1ih-vqLxQXnyh0RWKn-Cl6cHRxMbYKQbhCTi-NwkYV3lM-ALCOrnrmLJd-J_jKmhI9Llm68mk9q2ppame9V1HmXtZiVVELAg=

^^ this looks like it might be still be base64 encoded, though it won't decode with atob... ??

[robinbeatty]

Hey, any insight on this? Forgive me if I've missed a crucial memo... in my headless app i need to get a valid csrf at auth time to be able to hit some craft factory endpoints.