csrf, don't try to pass tokenkey, ref :...

csrf, don't try to pass tokenkey, ref : https://github.com/phalcon/cphalcon/blob/v3.0.3/phalcon/security.zep#L377

(cherry picked from commit f5ef2379)

src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php

@@ -175,9 +175,8 @@ class ApiControllerBase extends ControllerRoot
             }
 
             // check for valid csrf on post requests
-            $csrf_tokenkey = $this->request->getHeader('X_CSRFTOKENKEY');
-            $csrf_token =   $this->request->getHeader('X_CSRFTOKEN');
-            $csrf_valid = $this->security->checkToken($csrf_tokenkey, $csrf_token, false);
+            $csrf_token = $this->request->getHeader('X_CSRFTOKEN');
+            $csrf_valid = $this->security->checkToken(null, $csrf_token, false);
 
             if (($this->request->isPost() ||
                     $this->request->isPut() ||

src/opnsense/mvc/app/views/layouts/default.volt

@@ -51,7 +51,6 @@
                 $.ajaxSetup({
                     'beforeSend': function(xhr) {
                         xhr.setRequestHeader("X-CSRFToken", "{{ csrf_token }}" );
-                        xhr.setRequestHeader("X-CSRFTokenKey", "{{ csrf_tokenKey }}" );
                     }
                 });
                 // propagate ajax error messages