Merge pull request #15745 from opf/code-maintenance/55472-do-not-save…

…-access-token-in-cookies

[#55472] Do not save access token in cookies

modules/openid_connect/lib/open_project/openid_connect/hooks/hook.rb

@@ -41,22 +41,9 @@ def user_logged_in(context)
       end
 
       ##
-      # Once omniauth has returned with an auth hash
-      # persist the access token
-      def omniauth_user_authorized(context)
-        auth_hash = context[:auth_hash]
-        controller = context[:controller]
-
-        # fetch the access token if it's present
-        access_token = auth_hash.fetch(:credentials, {})[:token]
-        # put it into a cookie
-        if controller && access_token
-          controller.send(:cookies)[:_open_project_session_access_token] = {
-            value: access_token,
-            secure: !!Rails.configuration.force_ssl
-          }
-        end
-      end
+      # Called once omniauth has returned with an auth hash
+      # NOTE: It's a passthrough as we no longer persist the access token into the cookie
+      def omniauth_user_authorized(_context); end
     end
   end
 end

modules/openid_connect/spec/requests/openid_connect_spec.rb

@@ -98,13 +98,6 @@
       expect(response).to have_http_status :found
       expect(response.location).to match /\/\?first_time_user=true$/
 
-      # after_login requires the optional third context parameter
-      # remove this guard once we are on v4.1
-      if OpenProject::OmniAuth::Authorization.method(:after_login!).arity.abs > 2
-        # check that cookie is stored in the access token
-        expect(response.cookies["_open_project_session_access_token"]).to eq "foo bar baz"
-      end
-
       user = User.find_by(mail: user_info[:email])
 
       expect(user).not_to be_nil