Remove csrf endpoint once clients have time to upgrade

[ganemone]

After simplifying the plugin we can now remove the csrf endpoint. However, we should wait some time for clients to have time to upgrade.

[chrisirhc]

I saw that this endpoint is only on the POST method. However, doesn't the Uber internal xhr mechanism expect a csrf-token endpoint on the GET (see reference)?
Is this for external clients? Wouldn't it make more sense for this to also handle the GET method as well?

fusion-plugin-csrf-protection/src/server.js

Line 37 in e28b7f5

if (ctx.path === '/csrf-token' && ctx.method === 'POST') {

[ganemone]

The internal implementation is being phased out in favor of this implementation. Technically we are phasing out token refreshing all together so eventually you won't need to hit any endpoint at all.

[chrisirhc]

I understand it is being phased out.
I'm saying the quoted POST endpoint doesn't seem to serve any purpose if it doesn't handle the legacy compatibility use cases in the internal implementation, since internal implementation uses GET, not POST.

To handle an internal legacy migration that depend on components that aren't yet fusion/fetch compatible, I needed to create a compatibility plugin with this same code but for GET.

[ganemone]

The purpose is to allow clients to gradually upgrade to the newer server version. The internal csrf protection is not designed to be used with this library. That is entirely separate.

[chrisirhc]

You meant old clients of this plugin. Gotcha.