The current implementation passes a csrf token with the token data structure at /bootstrap. This works, but has the side-effect of potentially causing the user to send an expired csrf token (3600s default lifetime) by the time they get to account maintenance activities.
Perhaps a better solution would to use a dedicated endpoint to csrf. That endpoint would be visited intelligently by bumblebee: On first order, every time the user initiates some user account related action. This endpoint would be cheaper than the full access token endpoint.
The current implementation passes a csrf token with the token data structure at
/bootstrap. This works, but has the side-effect of potentially causing the user to send an expired csrf token (3600s default lifetime) by the time they get to account maintenance activities.Perhaps a better solution would to use a dedicated endpoint to csrf. That endpoint would be visited intelligently by bumblebee: On first order, every time the user initiates some user account related action. This endpoint would be cheaper than the full access token endpoint.