Commit b29c012e authored by Diego Louzán's avatar Diego Louzán Committed by Imre Farkas

Disable CSRF protection on logout endpoint

Allow external applications to destroy sessions without requiring a
CSRF token
parent 04eb076d
...@@ -39,7 +39,7 @@ class SessionsController < Devise::SessionsController ...@@ -39,7 +39,7 @@ class SessionsController < Devise::SessionsController
# would cause the CSRF token to be cleared and then # would cause the CSRF token to be cleared and then
# RequestForgeryProtection#verify_authenticity_token would fail because of # RequestForgeryProtection#verify_authenticity_token would fail because of
# token mismatch. # token mismatch.
protect_from_forgery with: :exception, prepend: true protect_from_forgery with: :exception, prepend: true, except: :destroy
CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha' CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'
MAX_FAILED_LOGIN_ATTEMPTS = 5 MAX_FAILED_LOGIN_ATTEMPTS = 5
......
---
title: Disable CSRF protection on logout endpoint
merge_request: 25521
author: Diego Louzán
type: changed
# frozen_string_literal: true
require 'spec_helper'
describe 'Sessions' do
context 'authentication', :allow_forgery_protection do
let(:user) { create(:user) }
it 'logout does not require a csrf token' do
login_as(user)
post(destroy_user_session_path, headers: { 'X-CSRF-Token' => 'invalid' })
expect(response).to redirect_to(new_user_session_path)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment