FIX: Skip CSRF token check on webhook routes (#16982)

The `WebhookController` inherits directly from `ActionController::Base`. Since Rails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633b, it took effect on this controller and broke integrations.

This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.

app/controllers/webhooks_controller.rb

@@ -3,6 +3,7 @@
 require "openssl"
 
 class WebhooksController < ActionController::Base
+  skip_before_action :verify_authenticity_token
 
   def mailgun
     return mailgun_failure if SiteSetting.mailgun_api_key.blank?

spec/requests/webhooks_controller_spec.rb

@@ -15,6 +15,11 @@ describe WebhooksController do
 
     before do
       SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493"
+      ActionController::Base.allow_forgery_protection = true # Ensure the endpoint works, even with CSRF protection generally enabled
+    end
+
+    after do
+      ActionController::Base.allow_forgery_protection = false
     end
 
     it "works (deprecated)" do