Remove form_post security impact option

This is probably no longer in place, but should be solved differently by now (by session mapping similar to saml RelayState)
opf · Oct 15, 2024 · 70b3b1e · 70b3b1e
1 parent 44cbe48
commit 70b3b1e
Showing 1 changed file with 1 addition and 15 deletions.
diff --git a/modules/openid_connect/lib/open_project/openid_connect/engine.rb b/modules/openid_connect/lib/open_project/openid_connect/engine.rb
@@ -60,24 +60,10 @@ class Engine < ::Rails::Engine
       end
     end
 
-    initializer "openid_connect.form_post_method" do
-      # If response_mode 'form_post' is chosen,
-      # the IP sends a POST to the callback. Only if
-      # the sameSite flag is not set on the session cookie, is the cookie send along with the request.
-      if OpenProject::Configuration[OpenProject::OpenIDConnect::CONFIG_KEY]&.any? do |_, v|
-        v["response_mode"]&.to_s == "form_post"
-      end
-        SecureHeaders::Configuration.default.cookies[:samesite][:lax] = false
-        # Need to reload the secure_headers config to
-        # avoid having set defaults (e.g. https) when changing the cookie values
-        load Rails.root.join("config/initializers/secure_headers.rb")
-      end
-    end
-
     initializer "openid_connect.configuration" do
       ::Settings::Definition.add :seed_oidc_provider,
                                  description: "Provide a OIDC provider and sync its settings through ENV",
-                                 env_alias: "OPENPROJECT_OIDC",
+                                 env_alias: "OPENPROJECT_OPENID__CONNECT",
                                  writable: false,
                                  default: {},
                                  format: :hash