Javascript login

I’m trying to create a new channel from an internal webpage using javascript. I can successfully call the api, but I’m not able to retrieve the mattermost auth token as it is an uprotected header with CORS. Any ideas? My code is posted below.

		var data = "{\"login_id\":\"********\",\"password\":\"********\"}";
		var createCORSRequest = function(method, url) {
		  var xhr = new XMLHttpRequest();
		  if ("withCredentials" in xhr) {
		    // Most browsers.
		    xhr.open(method, url, true);
		  } else if (typeof XDomainRequest != "undefined") {
		    // IE8 & IE9
		    xhr = new XDomainRequest();
		    xhr.open(method, url);
		  } else {
		    // CORS not supported.
		    xhr = null;
		  }
		  return xhr;
		};

		var url = 'https://collab.ipnms.net/api/v3/users/login';
		var method = 'POST';
		var xhr = createCORSRequest(method, url);
		xhr.onload = function() {
		  // Success code goes here.
			alert("Response: " + xhr.getResponseHeader("Content-Length"));
			var json = xhr.responseText;
			obj = JSON.parse(json);
			//alert("Response: " + obj.id);
		};


		xhr.onerror = function() {
		  // Error code goes here.
		};

		xhr.send(data);

		function getCookie(cname) {
				var name = cname + "=";
				var decodedCookie = decodeURIComponent(document.cookie);
				var ca = decodedCookie.split(';');
				for(var i = 0; i <ca.length; i++) {
    				var c = ca[i];
    				while (c.charAt(0) == ' ') {
        					c = c.substring(1);
    				}
    				if (c.indexOf(name) == 0) {
        					return c.substring(name.length, c.length);
    				}
				}
				//return "";
		}

		function readCookie(name) {
				var nameEQ = name + "=";
				var ca = document.cookie.split(';');
				for(var i=0;i < ca.length;i++) {
    				var c = ca[i];
    				while (c.charAt(0)==' ') c = c.substring(1,c.length);
    				if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
				}
				return null;
		}
     </script>
</body>

The session token is also returned in a Token header on the response to a successful login. Can you see if you can pull the session from there? For example we do it in Javascript here https://github.com/mattermost/mattermost-redux/blob/master/src/client/client4.js#L390