add ajax call for getting csfr token

config/routes.php

@@ -58,6 +58,9 @@ Router::scope('/', function (RouteBuilder $routes) {
         // Skip token check for API URLs.
       //die($request->getParam('controller'));
         $whitelist = ['JsonRequestHandler', 'ElopageWebhook'];
+        if($request->getParam('action') === 'ajaxGetCSFRToken') {
+            return true;
+        }
         foreach($whitelist as $entry) {
           if($request->getParam('controller') === $entry) {
             if($entry == 'ElopageWebhook') {

src/Controller/StateUsersController.php

@@ -5,6 +5,8 @@ use Cake\Routing\Router;
 use Cake\I18n\I18n;
 use Cake\I18n\FrozenTime;
 use Cake\ORM\TableRegistry;
+use Cake\Http\Client;
+use Cake\Core\Configure;
 
 use App\Controller\AppController;
 use App\Form\UserSearchForm;
@@ -43,7 +45,7 @@ class StateUsersController extends AppController
         $this->Auth->allow([
             'search', 'ajaxCopyLoginToCommunity', 'ajaxCopyCommunityToLogin',
             'ajaxDelete', 'ajaxCountTransactions', 'ajaxVerificationEmailResend',
-            'ajaxGetUserEmailVerificationCode'
+            'ajaxGetUserEmailVerificationCode', 'ajaxGetCSFRToken'
          ]);
         $this->set(
             'naviHierarchy',
@@ -433,6 +435,40 @@ class StateUsersController extends AppController
         }
         return $this->returnJson(['state' => 'error', 'msg' => 'no post request']);
     }
+    
+    public function ajaxGetCSFRToken()
+    {
+        if ($this->request->is('post')) {
+            $jsonData = $this->request->input('json_decode', true);
+            $session_id = $jsonData['session_id'];
+            $client_ip = $this->request->clientIp();
+             
+            $loginServer = Configure::read('LoginServer');
+            $url = $loginServer['host'] . ':' . $loginServer['port'];
+            
+            $http = new Client();
+            $response = $http->get($url . '/login', ['session_id' => $session_id]);
+            $json = $response->getJson();
+
+            if (isset($json) && count($json) > 0) {
+                if ($json['state'] === 'success') {
+                    if($json['clientIP'] == $client_ip) {
+                        return $this->returnJson(['state' => 'success', 'csfr' => $this->request->getParam('_csrfToken')]);
+                    } else {
+                        return $this->returnJson([
+                            'state' => 'error',
+                            'msg' => 'client ip mismatch',
+                            'details' => ['login_server' => $json['clientIP'], 'caller' => $client_ip]]);
+                    }
+                } else {
+                    return $this->returnJson($json);
+                }
+            } else {
+                return $this->returnJson(['state' => 'error', 'invalid response form logins server']);
+            }
+        }
+        return $this->returnJson(['state' => 'error', 'msg' => 'no post']);
+    }
     /*
 
      getField(vnode, 'receive'),