Skip to content

Enable DPoP if the AS supports it, unless the Go Onboarding API is en… #1055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
garronej merged 1 commit into from
Jan 13, 2026
Merged

Enable DPoP if the AS supports it, unless the Go Onboarding API is en… #1055

garronej merged 1 commit into from
Jan 13, 2026
+15 −3

Conversation

@garronej
Copy link
Contributor

@garronej garronej commented Jan 13, 2026
edited by coderabbitai bot
Loading

…abled, in that case disable it

Summary by CodeRabbit

  • New Features
    • Added OIDC_DISABLE_DPOP configuration option to control DPoP usage in OIDC authentication flows. The environment variable defaults to false and can be disabled when required for specific deployment scenarios or system compatibility needs.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 13, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The changes introduce conditional DPoP (Demonstrating Proof-of-Possession) support for OIDC authentication by adding an environment variable that can disable it. The feature is configured at deployment and application levels, with conditional imports in the main application initialization.

Changes

Cohort / File(s) Summary
Configuration & Deployment
helm-chart/templates/web/deployment.yaml, web/.env		 Adds OIDC_DISABLE_DPOP environment variable with default value false. When onboarding is enabled, the Helm deployment sets it to true. Includes a comment noting this as a temporary workaround pending Go onboarding API support.
Application Code
web/src/main.tsx, web/src/vite-env.d.ts		 Implements conditional DPoP import in main initialization: imports DPoP only when OIDC_DISABLE_DPOP is not "true", then conditionally merges DPoP defenses into oidcEarlyInit security configuration. Adds corresponding TypeScript type declaration for the environment variable.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A feature flag hops into place,
DPoP now bows with flexible grace,
Temporary workaround, swift and clean,
Until the API joins the scene! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately summarizes the main change: enabling DPoP when supported by the AS, except when Go Onboarding API is enabled, which disables it. The title is specific, clear, and reflects the core objective of the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5fc19ec and 7b92c89.

📒 Files selected for processing (4)
  • helm-chart/templates/web/deployment.yaml
  • web/.env
  • web/src/main.tsx
  • web/src/vite-env.d.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: publish_web_docker_image
🔇 Additional comments (5)
web/.env (1)

890-892: LGTM!

The new OIDC_DISABLE_DPOP environment variable is well-placed alongside other OIDC settings with a clear comment explaining the temporary workaround context. The default value of false correctly enables DPoP by default.

helm-chart/templates/web/deployment.yaml (1)

44-47: Verify intentional override of user-defined values.

This block is placed after the web.env loop, meaning if a user explicitly sets OIDC_DISABLE_DPOP in their values, this will override it when onboarding.enabled is true. This appears intentional given the incompatibility between DPoP and the Go onboarding API, but worth confirming this is the desired behavior.

web/src/vite-env.d.ts (1)

69-69: LGTM!

The type declaration is correctly added to ImportMetaEnv alongside other OIDC-related environment variables.

web/src/main.tsx (2)

29-35: LGTM!

The optional chaining DPoP?.({ mode: "auto" }) correctly handles the case when DPoP is undefined—spreading undefined into an object is a no-op in JavaScript, so the security defenses work correctly in both enabled and disabled states.

21-27: Conditional import logic is correct.

The ternary expression elegantly handles the conditional import: returning a synchronous object { DPoP: undefined } when disabled avoids unnecessary network requests, while the dynamic import loads the DPoP module when enabled.

oidc-spa DPoP module usage mode auto

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@garronej garronej merged commit c7efac0 into main Jan 13, 2026
8 checks passed
@garronej garronej deleted the DPoP_auto branch January 13, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@garronej