From 70b3b1e7f1ed233d9ab32c47d10a1a94b14cc33b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 14 Oct 2024 21:41:17 +0200 Subject: [PATCH] Remove form_post security impact option This is probably no longer in place, but should be solved differently by now (by session mapping similar to saml RelayState) --- .../lib/open_project/openid_connect/engine.rb | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/modules/openid_connect/lib/open_project/openid_connect/engine.rb b/modules/openid_connect/lib/open_project/openid_connect/engine.rb index c7e9cff0235e..bde77b42ab7f 100644 --- a/modules/openid_connect/lib/open_project/openid_connect/engine.rb +++ b/modules/openid_connect/lib/open_project/openid_connect/engine.rb @@ -60,24 +60,10 @@ class Engine < ::Rails::Engine end end - initializer "openid_connect.form_post_method" do - # If response_mode 'form_post' is chosen, - # the IP sends a POST to the callback. Only if - # the sameSite flag is not set on the session cookie, is the cookie send along with the request. - if OpenProject::Configuration[OpenProject::OpenIDConnect::CONFIG_KEY]&.any? do |_, v| - v["response_mode"]&.to_s == "form_post" - end - SecureHeaders::Configuration.default.cookies[:samesite][:lax] = false - # Need to reload the secure_headers config to - # avoid having set defaults (e.g. https) when changing the cookie values - load Rails.root.join("config/initializers/secure_headers.rb") - end - end - initializer "openid_connect.configuration" do ::Settings::Definition.add :seed_oidc_provider, description: "Provide a OIDC provider and sync its settings through ENV", - env_alias: "OPENPROJECT_OIDC", + env_alias: "OPENPROJECT_OPENID__CONNECT", writable: false, default: {}, format: :hash