Add `rescue false`.

config/initializers/omniauth.rb

@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
 # In case of auto sign-in, the GET method is used (users don't get to click on a button)
 OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
 OmniAuth.config.before_request_phase do |env|
-  GitLab::RequestForgeryProtection.call(env)
+  Gitlab::RequestForgeryProtection.call(env)
 end
 
 if Gitlab.config.omniauth.enabled

lib/api/helpers.rb

@@ -338,7 +338,7 @@ module API
 
     # Check if CSRF tokens are valid.
     def verified_request?
-      GitLab::RequestForgeryProtection.call(env)
+      Gitlab::RequestForgeryProtection.call(env) rescue false
     end
 
     # Check the Rails session for valid authentication details

lib/gitlab/request_forgery_protection.rb

@@ -2,7 +2,7 @@
 # It's used in API helpers and OmniAuth.
 # Usage: GitLab::RequestForgeryProtection.call(env)
 
-module GitLab
+module Gitlab
   module RequestForgeryProtection
     class Controller < ActionController::Base
       protect_from_forgery with: :exception