The extension adds both a client side script and a new server side route.
The client side script will automatically fire a request to the new route on a regular basis.
The server side route returns a new CSRF token if the old one has expired, and the client script assigns this to the
app.session.csrfToken variable in the JS frontend.
The aim of the extension is to prevent sessions timing out. This is when you would normally see an error when attempting to perform an action, such as liking a post or replying to a discussion. This usually happens because the CSRF token becomes invalid due to no action being performed with it for a long time.
Usually you would have to refresh the forum page, and this would cause annoyance if you were writing a long post, for example, or you put your laptop to sleep and reopened it the next day with a Flarum page still open.