feat: remove support for legacy cookie

2026-02-14 17:49:54 +00:00 · 2025-11-21 14:13:21 +01:00
parent d930b2e532
commit 5febe7c766
8 changed files with 0 additions and 34 deletions
--- a/charts/wonderwall/Feature.yaml
+++ b/charts/wonderwall/Feature.yaml
@@ -51,10 +51,6 @@ values:
    description: Enable ID-porten. Requires Digdirator to be enabled.
    config:
      type: bool
-  idporten.legacyCookie:
-    description: Set legacy session cookie for logins.
-    config:
-      type: bool
  idporten.openidResourceIndicator:
    description: Resource indicator for audience-restricted tokens.
    config:
--- a/charts/wonderwall/templates/idporten-deployment.yaml
+++ b/charts/wonderwall/templates/idporten-deployment.yaml
@@ -61,8 +61,6 @@ spec:
            value: "{{- include "wonderwall.idporten.ssoServerURL" . }}"
          - name: WONDERWALL_SHUTDOWN_WAIT_BEFORE_PERIOD
            value: "5s"
-          - name: WONDERWALL_LEGACY_COOKIE
-            value: "{{ .Values.idporten.legacyCookie }}"
          - name: WONDERWALL_OPENID_ACR_VALUES
            value: "{{ .Values.idporten.openidAcrValues | required ".Values.idporten.openidAcrValues is required." }}"
          - name: WONDERWALL_OPENID_LOCALE
--- a/charts/wonderwall/values.yaml
+++ b/charts/wonderwall/values.yaml
@@ -33,7 +33,6 @@ idporten:
  clientSessionLifetime: 21600
  clientSecretName: idporten-sso-server
  ingressClassName: nais-ingress-external
-  legacyCookie: true
  openidAcrValues: idporten-loa-high
  openidLocale: nb
  openidPostLogoutRedirectURL:
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -31,7 +31,6 @@ type Config struct {
 	Cookie                 Cookie   `json:"cookie"`
 	EncryptionKey          string   `json:"encryption-key"`
 	Ingresses              []string `json:"ingress"`
-	LegacyCookie           bool     `json:"legacy-cookie"`
 	UpstreamAccessLogs     bool     `json:"upstream-access-logs"`
 	UpstreamHost           string   `json:"upstream-host"`
 	UpstreamIP             string   `json:"upstream-ip"`
--- a/pkg/config/cookie.go
+++ b/pkg/config/cookie.go
@@ -82,7 +82,6 @@ const (
 	CookieSameSite = "cookie.same-site"
 	CookieSecure   = "cookie.secure"
 	EncryptionKey  = "encryption-key"
-	LegacyCookie   = "legacy-cookie"
 )

 func cookieFlags() {
@@ -90,5 +89,4 @@ func cookieFlags() {
 	flag.String(CookieSameSite, string(SameSiteLax), "SameSite attribute for session cookies.")
 	flag.Bool(CookieSecure, true, "Set secure flag on session cookies. Can only be disabled when `ingress` only consist of localhost hosts. Generally, disabling this is only necessary when using Safari.")
 	flag.String(EncryptionKey, "", "Base64 encoded 256-bit cookie encryption key; must be identical in instances that share session store.")
-	flag.Bool(LegacyCookie, false, "Set legacy session cookie.")
 }
--- a/pkg/cookie/cookie.go
+++ b/pkg/cookie/cookie.go
@@ -12,7 +12,6 @@ import (

 const (
 	DefaultPrefix = "io.nais.wonderwall"
-	loginservice  = "selvbetjening-idtoken"
 )

 var (
@@ -133,20 +132,6 @@ func EncryptAndSet(w http.ResponseWriter, key, value string, opts Options, crypt
 	return nil
 }

-func SetLegacyCookie(w http.ResponseWriter, value string, opts Options) {
-	c := Make(loginservice, value, opts.
-		WithSameSite(http.SameSiteLaxMode).
-		WithPath("/"))
-	Set(w, c)
-}
-
-func ClearLegacyCookies(w http.ResponseWriter, opts Options) {
-	// TODO - remove when legacy services are sunset and shut down
-	Clear(w, loginservice, opts.
-		WithSameSite(http.SameSiteLaxMode).
-		WithPath("/"))
-}
-
 func ConfigureCookieNamesWithPrefix(prefix string) {
 	Login = login(prefix)
 	Logout = logout(prefix)
--- a/pkg/handler/handler.go
+++ b/pkg/handler/handler.go
@@ -273,12 +273,6 @@ func (s *Standalone) LoginCallback(w http.ResponseWriter, r *http.Request) {
 	}

 	redirect := s.Redirect.Clean(r, loginCookie.Referer)
-
-	// TODO - remove when legacy services are sunset and shut down
-	if s.Config.LegacyCookie {
-		cookie.SetLegacyCookie(w, tokens.AccessToken, opts)
-	}
-
 	fields := log.Fields{
 		"redirect_to": redirect,
 		"sid":         sess.ExternalSessionID(),
--- a/pkg/handler/handler_sso_server.go
+++ b/pkg/handler/handler_sso_server.go
@@ -32,17 +32,14 @@ func NewSSOServer(cfg *config.Config, handler *Standalone) (*SSOServer, error) {
 }

 func (s *SSOServer) Logout(w http.ResponseWriter, r *http.Request) {
-	cookie.ClearLegacyCookies(w, s.GetCookieOptions(r))
 	s.Standalone.Logout(w, r)
 }

 func (s *SSOServer) LogoutFrontChannel(w http.ResponseWriter, r *http.Request) {
-	cookie.ClearLegacyCookies(w, s.GetCookieOptions(r))
 	s.Standalone.LogoutFrontChannel(w, r)
 }

 func (s *SSOServer) LogoutLocal(w http.ResponseWriter, r *http.Request) {
-	cookie.ClearLegacyCookies(w, s.GetCookieOptions(r))
 	s.Standalone.LogoutLocal(w, r)
 }