Make sure CSRF token is added to headers

app/adapters/application.js

@@ -2,6 +2,7 @@ import JSONAPIAdapter from '@ember-data/adapter/json-api';
 import { camelize } from '@ember/string';
 import ENV from 'pass-ui/config/environment';
 import { inject as service } from '@ember/service';
+import { get } from '@ember/object';
 
 /**
  * PASS specific extensions for Ember Data's JSON:API adapter
@@ -11,9 +12,12 @@ export default class ApplicationAdapter extends JSONAPIAdapter {
 
   namespace = ENV.passApi.namespace;
 
-  headers = {
-    withCredentials: true,
-  };
+  get headers() {
+    return {
+      withCredentials: true,
+      'X-XSRF-TOKEN': document.cookie.match(/XSRF-TOKEN\=([^;]*)/)['1'],
+    };
+  }
 
   // Camel case instead of pluralize model types for our API
   pathForType(type) {

app/adapters/file.js

@@ -22,6 +22,10 @@ export default class FileAdapter extends ApplicationAdapter {
     }
     return fetch(url, {
       method: 'DELETE',
+      credentials: 'same-origin',
+      headers: {
+        'X-XSRF-TOKEN': document.cookie.match(/XSRF-TOKEN\=([^;]*)/)['1'],
+      },
     }).then((response) => {
       if (!response.ok) {
         throw new Error('Delete request to the file service failed');

app/components/workflow-files/index.js

@@ -97,7 +97,12 @@ export default class WorkflowFiles extends Component {
   @action
   async uploadFile(FileUpload) {
     try {
-      const response = await FileUpload.upload(ENV.fileServicePath);
+      const response = await FileUpload.upload(ENV.fileServicePath, {
+        withCredentials: true,
+        headers: {
+          'X-XSRF-TOKEN': document.cookie.match(/XSRF-TOKEN\=([^;]*)/)['1'],
+        },
+      });
 
       const file = await response.json();