Guard against a login attempt with invalid CSRF token

If a user logs in with a bad CSRF token, the Warden before_logout
hook will be called with no valid user. This would lead to odd
Error 500 messages with a backtrace.

Addresses part of #50857

changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml

@@ -0,0 +1,5 @@
+---
+title: Guard against a login attempt with invalid CSRF token
+merge_request: 21934
+author:
+type: fixed

config/initializers/warden.rb

@@ -31,6 +31,11 @@ Rails.application.configure do |config|
 
   Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
     user ||= auth.user
+
+    # Rails CSRF protection may attempt to log out a user before that
+    # user even logs in
+    next unless user
+
     activity = Gitlab::Auth::Activity.new(opts)
     tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)