From 44f94d6770e14e462146355da40959ac45c9cad8 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Tue, 3 Jun 2025 09:43:25 +0200
Subject: [PATCH] Add OPENID_HTTP_VERIFY_SSL_PEER env var to disable ssl cert
 verification Closes #479

---
 .env.example              | 3 +++
 Dockerfile                | 4 ++++
 bootstrap/app.php         | 2 +-
 config/services.php       | 3 +++
 docker/docker-compose.yml | 4 ++++
 5 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 35498b46..30e003ec 100644
--- a/.env.example
+++ b/.env.example
@@ -252,6 +252,9 @@ WEBAUTHN_USER_VERIFICATION=preferred
 # OPENID_USERINFO_URL=
 # OPENID_CLIENT_ID=
 # OPENID_CLIENT_SECRET=
+# OPENID_HTTP_VERIFY_SSL_PEER=true
+# Can also be the path to a custom certificate on disk, i.e
+# OPENID_HTTP_VERIFY_SSL_PEER=/path/to/cert.pem
 
 # GITHUB_CLIENT_ID=
 # GITHUB_CLIENT_SECRET=
diff --git a/Dockerfile b/Dockerfile
index 71a71841..09a42b4e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -227,6 +227,10 @@ ENV \
     # OPENID_USERINFO_URL= \
     # OPENID_CLIENT_ID= \
     # OPENID_CLIENT_SECRET= \
+    # OPENID_HTTP_VERIFY_SSL_PEER=true \
+    # Can also be the path to a custom certificate on disk, i.e
+    # OPENID_HTTP_VERIFY_SSL_PEER=/path/to/cert.pem \
+    #
     # GITHUB_CLIENT_ID= \
     # GITHUB_CLIENT_SECRET= \
     # Use this setting to declare trusted proxied.
diff --git a/bootstrap/app.php b/bootstrap/app.php
index 8695be52..e0f9e079 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -15,7 +15,7 @@ if (! function_exists('envUnlessEmpty')) {
     /**
      * @return mixed|null
      */
-    function envUnlessEmpty(string $key, string|int|bool|float|null $default = null)
+    function envUnlessEmpty(string $key, string|int|bool|float|array|null $default = null)
     {
         $result = env($key, $default);
         if ('' === $result) {
diff --git a/config/services.php b/config/services.php
index b7597190..951d2ace 100644
--- a/config/services.php
+++ b/config/services.php
@@ -28,6 +28,9 @@ return [
         'client_id' => env('OPENID_CLIENT_ID'),
         'client_secret' => env('OPENID_CLIENT_SECRET'),
         'redirect' => env('APP_URL') . '/socialite/callback/openid',
+        'guzzle' => [
+            'verify' => envUnlessEmpty('OPENID_HTTP_VERIFY_SSL_PEER', true), // https://docs.guzzlephp.org/en/stable/request-options.html#verify
+        ]
     ],
 
     'github' => [
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index d6a4e33a..e0942466 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -124,6 +124,10 @@ services:
       # - OPENID_USERINFO_URL=
       # - OPENID_CLIENT_ID=
       # - OPENID_CLIENT_SECRET=
+      # - OPENID_HTTP_VERIFY_SSL_PEER=true
+      # Can also be the path to a custom certificate on disk, i.e
+      # - OPENID_HTTP_VERIFY_SSL_PEER=/path/to/cert.pem
+      #
       # - GITHUB_CLIENT_ID=
       # - GITHUB_CLIENT_SECRET=
       # Use this setting to declare trusted proxied.