From 051cc6fe0db5a311998bece472982e19926a2bc5 Mon Sep 17 00:00:00 2001
From: Jiulong Wang <jiulongw@gmail.com>
Date: Tue, 19 Nov 2024 02:28:59 -0800
Subject: [PATCH] fix: Google OAuth broken in unified docker image (#4839)

---
 api/app/settings/common.py    |  1 +
 docker-compose.yml            |  4 ++++
 docs/docs/deployment/index.md | 11 +++++++++++
 3 files changed, 16 insertions(+)

diff --git a/api/app/settings/common.py b/api/app/settings/common.py
index c1b0d2096371..ee76139d98d8 100644
--- a/api/app/settings/common.py
+++ b/api/app/settings/common.py
@@ -543,6 +543,7 @@
 
 SECURE_REDIRECT_EXEMPT = env.list("DJANGO_SECURE_REDIRECT_EXEMPT", default=[])
 SECURE_REFERRER_POLICY = env.str("DJANGO_SECURE_REFERRER_POLICY", default="same-origin")
+SECURE_CROSS_ORIGIN_OPENER_POLICY = env.str("DJANGO_SECURE_CROSS_ORIGIN_OPENER_POLICY", default="same-origin")
 SECURE_SSL_HOST = env.str("DJANGO_SECURE_SSL_HOST", default=None)
 SECURE_SSL_REDIRECT = env.bool("DJANGO_SECURE_SSL_REDIRECT", default=False)
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 7eb99a893ff6..2c25b4032850 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -42,6 +42,10 @@ services:
       # Enable Task Processor
       TASK_RUN_METHOD: TASK_PROCESSOR # other options are: SYNCHRONOUSLY, SEPARATE_THREAD (default)
 
+      # Uncomment if you want to enable Google OAuth. Note this does not turn Google OAuth on. You still need to use
+      # Flagsmith on Flagsmith to enable it - https://docs.flagsmith.com/deployment/#oauth_google
+      # DJANGO_SECURE_CROSS_ORIGIN_OPENER_POLICY: 'same-origin-allow-popups'
+
       # For more info on configuring E-Mails - https://docs.flagsmith.com/deployment/locally-api#environment-variables
       # Example SMTP:
       # EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend
diff --git a/docs/docs/deployment/index.md b/docs/docs/deployment/index.md
index 9d10f26a91f1..fb86659c99f8 100644
--- a/docs/docs/deployment/index.md
+++ b/docs/docs/deployment/index.md
@@ -566,6 +566,17 @@ Create an OAuth application in the Google Developer Console and then provide the
 }
 ```
 
+If you are using the [unified Docker image](https://hub.docker.com/repository/docker/flagsmith/flagsmith), which serves
+both the API and the frontend through Django, ensure you configure the following environment variable in your
+deployment:
+
+```
+DJANGO_SECURE_CROSS_ORIGIN_OPENER_POLICY=same-origin-allow-popups
+```
+
+For those hosting the frontend independently, make sure you set the `Cross-Origin-Opener-Policy` to
+`same-origin-allow-popups` for Google OAuth flow to work.
+
 ### Dark Mode
 
 We also have a Segment that manages the ui Dark Mode: