CSRF token is required when using the Revoke Session API endpoint

[dbhobbs]

Describe the bug

The Revoke and Invalidate a Session (DELETE /sessions) requires a CSRF token.

Reproducing the bug

Steps to reproduce the behavior:

1. Run docker-compose up kratos

2. Make API Request with curl

curl -i -X DELETE -H "Content-Type: application/json" -H "Accept: application/json" \
  -d '{"session_token":"jJeIuVlImue5olFeHwADe6zQNR4pzoVq"}' \
  http://127.0.0.1:4433/sessions`

3. Request fails with response:

HTTP/1.1 400 Bad Request
Content-Type: application/json
Set-Cookie: csrf_token=xz1MtK1+LjuAgf9PBVVRyih5PzKpGJ3kkWAZVf090+g=; Path=/; Domain=127.0.0.1; Max-Age=31536000; HttpOnly; Secure
Vary: Cookie
Date: Thu, 19 Nov 2020 19:16:52 GMT
Content-Length: 161

{
  "error":
  {
    "code":400,
    "status":"Bad Request",
    "reason":"CSRF token is missing or invalid.",
    "message":"The request was malformed or contained invalid parameters"
  }
}

Server logs

kratos_1  | time=2020-11-19T19:16:52Z level=warning msg=A request failed due to a missing or invalid csrf_token value audience=application expected_token=v7oA7rJUmK51hHZt72t9bScGV/SOp91Hz7LbgIzl0054h0xaHyq2lfUFiSLqPiynD39oxie/QKNe0sLVcdgApg== received_token= received_token_form= service_name=kratos service_version=
kratos_1  | time=2020-11-19T19:16:52Z level=error msg=An error occurred while handling a request audience=application error=map[debug: message:The request was malformed or contained invalid parameters reason:CSRF token is missing or invalid. status:Bad Request status_code:400] http_request=map[headers:map[accept:application/json user-agent:curl/7.68.0] host:127.0.0.1:4433 method:DELETE path:/sessions query:<nil> remote:172.21.0.1:34396 scheme:http] http_response=map[status_code:400] service_name=kratos service_version=
kratos_1  | time=2020-11-19T19:16:52Z level=info msg=started handling request method=DELETE name=public#http://127.0.0.1 remote=172.21.0.1:34396 request=/sessions
kratos_1  | time=2020-11-19T19:16:52Z level=info msg=completed handling request method=DELETE name=public#http://127.0.0.1 remote=172.21.0.1:34396 request=/sessions status=400 text_status=Bad Request took=86.526µs

Server configuration

identity:
  default_schema_url: file:///home/ory/identities/identity.traits.schema.json

dsn: <pg connection>

selfservice:
  default_browser_return_url: http://127.0.0.1:4000/

  methods:
    password:
      enabled: true
    oidc:
      enabled: true

  flows:
    logout:
      after:
        default_browser_return_url: http://127.0.0.1:4000

courier:
  smtp:
    connection_uri: smtps://foo:bar@kratos
    from_address: "kratos@ory.org"

hashers:
  argon2:
    parallelism: 1
    memory: 131072
    iterations: 3
    salt_length: 16
    key_length: 32

serve:
  public:
    base_url: http://127.0.0.1

log:
  leak_sensitive_values: true

Expected behavior

A clear and concise description of what you expected to happen.

Environment

• Version: v0.5.3-alpha.1
• Build Commit: 64dc91a
• Build Timestamp: 2020-10-27T13:52:18Z

Additional context

I tried a lot of different variations to fetch a CSRF token, but all of them failed (as I expected without a GET method supported).