check csrf_protect cookie, not header, in _decode_jwt_from_cookies

Author: robscllc

flask_jwt_extended/utils.py

@@ -199,8 +199,7 @@ def _decode_jwt_from_cookies(type):
     token = _decode_jwt(token, secret, algorithm)
 
     if get_cookie_csrf_protect():
-        csrf_header_key = get_csrf_header_name()
-        csrf = request.headers.get(csrf_header_key, None)
+        csrf = request.cookies.get(get_access_csrf_cookie_name(), None)
         if not csrf or not safe_str_cmp(csrf,  token['csrf']):
             raise NoAuthorizationError("Missing or invalid csrf double submit header")