From e7fe213f80d81309339d281cc54cf24b24e4270f Mon Sep 17 00:00:00 2001
From: Jens Ulferts <j.ulferts@finn.de>
Date: Tue, 2 Oct 2018 15:11:47 +0200
Subject: [PATCH] lessen sameSite restriction on form_post methods

When using form_post response_method, a post request is issued by an IP site. Cookies being flagged `sameSite: Lax` will not be send by cross site POST requests. We thus have to remove that flag
---
 lib/open_project/openid_connect/engine.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/open_project/openid_connect/engine.rb b/lib/open_project/openid_connect/engine.rb
index e816990ecb..d440e5ab56 100644
--- a/lib/open_project/openid_connect/engine.rb
+++ b/lib/open_project/openid_connect/engine.rb
@@ -50,6 +50,19 @@ module OpenProject::OpenIDConnect
       end
     end
 
+    #config.to_prepare do
+    initializer 'openid_connect.form_post_method' do
+      # If response_mode 'form_post' is chosen,
+      # the IP sends a POST to the callback. Only if
+      # the sameSite flag is not set on the session cookie, is the cookie send along with the request.
+      if OpenProject::Configuration.openid_connect.any? { |_, v| v['response_mode']&.to_s == 'form_post' }
+        SecureHeaders::Configuration.default.cookies[:samesite][:lax] = false
+        # Need to reload the secure_headers config to
+        # avoid having set defaults (e.g. https) when changing the cookie values
+        load Rails.root + 'config/initializers/secure_headers.rb'
+      end
+    end
+
     config.to_prepare do
       # set a secure cookie in production
       secure_cookie = !!Rails.configuration.force_ssl