create separate API methods for tokens (short-lived) and personal access tokens (long-lived), include global antiforgery filter to mitigate XSRF when using cookie auth (ignored when using Jwt)

Oqtane.Client/Services/Interfaces/IUserService.cs

@@ -109,5 +109,11 @@ namespace Oqtane.Services
         /// </summary>
         /// <returns></returns>
         Task<string> GetTokenAsync();
+
+        /// <summary>
+        /// Get personal access token for current user (administrators only)
+        /// </summary>
+        /// <returns></returns>
+        Task<string> GetPersonalAccessTokenAsync();
     }
 }

Oqtane.Client/Services/UserService.cs

@@ -84,5 +84,10 @@ namespace Oqtane.Services
         {
             return await GetStringAsync($"{Apiurl}/token");
         }
+
+        public async Task<string> GetPersonalAccessTokenAsync()
+        {
+            return await GetStringAsync($"{Apiurl}/personalaccesstoken");
+        }
     }
 }