task: #3585891 Deprecate Validating CSRF tokens with the 'rest' key in CsrfRequestHeaderAccessCheck

        return AccessResult::forbidden()->setReason('X-CSRF-Token request header is missing')->setCacheMaxAge(0);

      }

      $csrf_token = $request->headers->get('X-CSRF-Token');

      // @todo Remove validate call using 'rest' in 8.3.

      //   Kept here for sessions active during update.

      if (!$this->csrfToken->validate($csrf_token, self::TOKEN_KEY)

        && !$this->csrfToken->validate($csrf_token, 'rest')) {

      if (!$this->csrfToken->validate($csrf_token, self::TOKEN_KEY)) {

        if ($this->csrfToken->validate($csrf_token, 'rest')) {

          @trigger_error("Validating CSRF tokens with the 'rest' key is deprecated in drupal:11.4.0 and is removed from drupal:12.0.0. Sessions created before the upgrade to Drupal 9 are no longer supported. See https://www.drupal.org/node/3591939", E_USER_DEPRECATED);

        }

        else {

          return AccessResult::forbidden()->setReason('X-CSRF-Token request header is invalid')->setCacheMaxAge(0);

        }

      }

    }

    // Let other access checkers decide if the request is legit.

    return AccessResult::allowed()->setCacheMaxAge(0);

  }

namespace Drupal\user\Controller;

use Drupal\Core\Access\CsrfRequestHeaderAccessCheck;

use Drupal\Core\Access\CsrfTokenGenerator;

use Drupal\Core\Controller\ControllerBase;

use Drupal\Core\DependencyInjection\ContainerInjectionInterface;

        if ($account->get('name')->access('view', $account)) {

          $response_data['current_user']['name'] = $account->getAccountName();

        }

        $response_data['csrf_token'] = $this->csrfToken->get('rest');

        $response_data['csrf_token'] = $this->csrfToken->get(CsrfRequestHeaderAccessCheck::TOKEN_KEY);

        $logout_route = $this->routeProvider->getRouteByName('user.logout.http');

        // Trim '/' off path to match \Drupal\Core\Access\CsrfAccessCheck.