You do need both tokens:

1. The CSRF token ensures requests are coming from your trusted frontend.
2. The authentication token ensures the user is authenticated.

Ensure the frontend makes a GET request to fetch the CSRF token before the login request. In your React app, when the user lands on the login page, make a GET request to /csrf-token to fetch the CSRF token. Store this token (e.g., in memory or a state variable) and include it in the login POST request.Then, include the CSRF token in the login request. Your /csrf-token endpoint is fine. Spring Security's CookieCsrfTokenRepository automatically sets the CSRF token in a cookie (XSRF-TOKEN).