no longer works in authenticated setup

[sl077]

I'm running a binderhub (local-binder-local-hub) with a current repo2docker 2025.08.0 and authentication enabled. On container startup this extension (version 0.3.1) tries to read a JSON configuration from offlinenotebook/config and ends up in an OAuth redirect loop like this:

302 GET /user/USER/SERVER/offlinenotebook/config -> /hub/api/oauth2/authorize?client_id=...
302 GET /user/USER/SERVER/oauth_callback?code=[secret]&state=[secret] -> /user/USER/SERVER/offlinenotebook/config
# next loop
302 GET /user/USER/SERVER/offlinenotebook/config -> /hub/api/oauth2/authorize?client_id=...
...

The browser breaks this loop after a few iterations and notebooks are now missing the buttons to save to or restore from browser storage.

As I understand it, this is because the GET request to offlinenotebook/config is missing the _xsrf argument or token, which is required for ajax requests in newer versions of jupyterhub:
https://github.com/jupyterhub/jupyterhub/blob/074917d9beeaeda37908ca1bcb02a0bede55f38b/jupyterhub/_xsrf_utils.py#L189-L238

There are also complaints from the extension manager:

"jupyter-offlinenotebook@0.3.1" is not compatible with the current JupyterLab
Conflicting Dependencies:
JupyterLab         Extension      Package
>=2.0.0 <3.0.0     >=1.4.3 <2.0.0 @lumino/disposable

[manics]

Thanks for the report. #646 should fix the XSRF error, though I need to look into the tests. For the version problems I might drop old versions of JupyterLab and Python.