From 899e0f32b47e5ee1b78d3561626c99e6c13190cb Mon Sep 17 00:00:00 2001
From: Jane Sandberg <js7389@princeton.edu>
Date: Fri, 12 Jan 2024 15:54:41 -0800
Subject: [PATCH] Fix CAS Login for local development

---
 config/initializers/cookies_serializer.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
index dac408419..a4dd66d83 100644
--- a/config/initializers/cookies_serializer.rb
+++ b/config/initializers/cookies_serializer.rb
@@ -3,4 +3,9 @@
 # Be sure to restart your server when you modify this file.
 
 Rails.application.config.action_dispatch.cookies_serializer = :json
-Rails.application.config.action_dispatch.cookies_same_site_protection = :strict
+
+# Strict Same Site Protection protects users from CSRF attacks from non-Princeton
+# domains.  However, when running orangelight on localhost, the CAS login page is
+# on a different domain from orangelight (localhost vs. *.princeton.edu), so
+# we exclude the dev environment from these protections so they can use CAS locally.
+Rails.application.config.action_dispatch.cookies_same_site_protection = :strict unless Rails.env.development?