Do not require CSRF token for logout
Summary
In !22113 (merged), the HTTP method for sign out was changed from GET to POST. However, in addition to the method change the sign out now requires a valid CSRF token. This prevents to sign out from another application.
Steps to reproduce
Try to log out via a HTML form which has the POST method and the sign out route as action:
<form action="https://gitlab.example.com/users/sign_out" method="post">
<button>Sign out</button>
</form>What is the current bug behavior?
Gitlab responds with a HTTP error 422 and the message "The change you requested was rejected." as no valid CSRF token can be provided.
What is the expected correct behavior?
The sign out is performed successfully.
Relevant logs and/or screenshots
Possible fixes
The logout should not require a CSRF token, as discussed in Gitlab-FOSS issue 39708.