Disable CSRF protection on logout endpoint

Allow external applications to destroy sessions without requiring a CSRF token

Disable CSRF protection on logout endpoint
Allow external applications to destroy sessions without requiring a CSRF token
b29c012e · Diego Louzán · Imre Farkas · 04eb076d · b29c012e · b29c012e
Commit b29c012e authored Feb 21, 2020 by Diego Louzán Committed by Imre Farkas Feb 21, 2020
3 changed files
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -39,7 +39,7 @@ class SessionsController < Devise::SessionsController
  # would cause the CSRF token to be cleared and then
  # RequestForgeryProtection#verify_authenticity_token would fail because of
  # token mismatch.
-  protect_from_forgery with: :exception, prepend: true
+  protect_from_forgery with: :exception, prepend: true, except: :destroy

  CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'
  MAX_FAILED_LOGIN_ATTEMPTS = 5

--- a/changelogs/unreleased/refactor-disable-csrf-in-session-destroy.yml
+++ b/changelogs/unreleased/refactor-disable-csrf-in-session-destroy.yml
+---
+title: Disable CSRF protection on logout endpoint
+merge_request: 25521
+author: Diego Louzán
+type: changed
--- a/spec/requests/sessions_spec.rb
+++ b/spec/requests/sessions_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Sessions' do
+  context 'authentication', :allow_forgery_protection do
+    let(:user) { create(:user) }
+
+    it 'logout does not require a csrf token' do
+      login_as(user)
+
+      post(destroy_user_session_path, headers: { 'X-CSRF-Token' => 'invalid' })
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
+  end
+end