Fix SmsController by adding protect_from_forgery

What does this MR do and why?

Background

In Rails:

config.action_controller.default_protect_from_forgery is set to true,

which is the default for newly created Rails applications.

• https://guides.rubyonrails.org/security.html#csrf-countermeasures
• https://guides.rubyonrails.org/configuring.html#config-action-controller-default-protect-from-forgery

Upstream MRs changed the value of default_protect_from_forgery :

• https://gitlab.com/gitlab-org/gitlab/-/merge_requests/70577
• https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74581

So, you will get the values like this in Rails console:

Rails.application.config.action_controller.forgery_protection_origin_check
# => false

ActionController::Base.forgery_protection_origin_check
# => false

In other words, you need to manually enable this feature in Controllers by protect_from_forgery.

ApplicationController has already added this method, so the Controller that inherits it does not need to add the method again:

https://jihulab.com/gitlab-cn/gitlab/blob/37243e1add1be5c96ccdad7561a3f02ce0b6a6d3/app/controllers/application_controller.rb#L58-58

What need to do in this MR

Add protect_from_forgery to SmsController.

Screenshots or screen recordings

422 is expected.

How to set up and validate locally

1. Visit http://localhost:3000/users/sign_up
2. Click get code button
3. Copy POST request http://localhost:3000/-/sms/verification_code
4. Changed the Header of x-csrf-token and replay

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.