Merge branch 'refactor/disable-csrf-in-session-destroy' into 'master'

Disable CSRF protection on logout endpoint

Closes #206912

See merge request gitlab-org/gitlab!25521

app/controllers/sessions_controller.rb

@@ -39,7 +39,7 @@ class SessionsController < Devise::SessionsController
   # would cause the CSRF token to be cleared and then
   # RequestForgeryProtection#verify_authenticity_token would fail because of
   # token mismatch.
-  protect_from_forgery with: :exception, prepend: true
+  protect_from_forgery with: :exception, prepend: true, except: :destroy
 
   CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'
   MAX_FAILED_LOGIN_ATTEMPTS = 5

changelogs/unreleased/refactor-disable-csrf-in-session-destroy.yml

+---
+title: Disable CSRF protection on logout endpoint
+merge_request: 25521
+author: Diego Louzán
+type: changed

spec/requests/sessions_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Sessions' do
+  context 'authentication', :allow_forgery_protection do
+    let(:user) { create(:user) }
+
+    it 'logout does not require a csrf token' do
+      login_as(user)
+
+      post(destroy_user_session_path, headers: { 'X-CSRF-Token' => 'invalid' })
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
+  end
+end