Fix NoMethodError when a non-string CSRF token is passed through header

The method was already checking for non-string objects, but only after
calling `#empty?` as the only test was though a form-encoded request.

But using JSON requests it's possible to pass a CSRF token that
doesn't even respond to `#empty?`.

Co-Authored-By: Jean Boussier <[email protected]>

Author: ryenski

actionpack/lib/action_controller/metal/request_forgery_protection.rb

@@ -507,7 +507,7 @@ def masked_authenticity_token(form_options: {})
       # Checks the client's masked token to see if it matches the session token.
       # Essentially the inverse of `masked_authenticity_token`.
       def valid_authenticity_token?(session, encoded_masked_token) # :doc:
-        if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
+        if !encoded_masked_token.is_a?(String) || encoded_masked_token.empty?
           return false
         end
 

actionpack/test/controller/request_forgery_protection_test.rb

@@ -675,7 +675,7 @@ def test_csrf_token_is_not_saved_if_it_is_nil
 
   def test_should_not_raise_error_if_token_is_not_a_string
     assert_blocked do
-      patch :index, params: { custom_authenticity_token: { foo: "bar" } }
+      patch :index, params: { custom_authenticity_token: 1 }, as: :json
     end
   end