Add exemption for ACS endpoint
In a SAML scenario we don't get any strict or lax cookie send for the ACS endpoint. Since we have some legacy code in Nextcloud (direct PHP files) the enforcement of lax cookies is performed here instead of the middleware. This means we cannot exclude some routes from the cookie validation, which normally is not a problem but is a little bit cumbersome for this use-case. Once the old legacy PHP endpoints have been removed we can move the verification into a middleware and also adds some exemptions. Not super awesome code to have but the best that I could come up with that doesn't add another ton of technical debt.
Please register or sign in to comment