From 8cea78c833960c2cd908809d1c7ef109ad3c22c1 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Mon, 26 Aug 2019 08:56:49 +1000
Subject: [PATCH] Revert "FEATURE: Protect against replay attacks when using
 TLS 1.3 0-RTT (#8020)"

This reverts commit 39c31a3d7693fae488461079c6f0c2bc7305c02e.

Sorry about this, we have decided againse supporting 0-RTT directly in
core, this can be supported with similar hacks to this commit in a
plugin.

That said, we recommend against using a 0-RTT proxy for the Discourse
app due to inherit risk of replay attacks.
---
 config/application.rb              |  3 ---
 lib/middleware/early_data_check.rb | 27 ---------------------------
 2 files changed, 30 deletions(-)
 delete mode 100644 lib/middleware/early_data_check.rb

diff --git a/config/application.rb b/config/application.rb
index cef1abf6646..2d946b30ec7 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -214,9 +214,6 @@ module Discourse
     config.middleware.delete Rack::ETag
 
     unless Rails.env.development?
-      require 'middleware/early_data_check'
-      config.middleware.insert_after Rack::MethodOverride, Middleware::EarlyDataCheck
-
       require 'middleware/enforce_hostname'
       config.middleware.insert_after Rack::MethodOverride, Middleware::EnforceHostname
     end
diff --git a/lib/middleware/early_data_check.rb b/lib/middleware/early_data_check.rb
deleted file mode 100644
index dd3ced6995a..00000000000
--- a/lib/middleware/early_data_check.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-module Middleware
-  class EarlyDataCheck
-    def initialize(app, settings = nil)
-      @app = app
-    end
-
-    # When a new connection happens, and it uses TLS 1.3 0-RTT
-    # the reverse proxy will set the header `Early-Data` to 1.
-    # Due to 0-RTT susceptibility to Replay Attacks only GET
-    # requests for anonymous users are allowed.
-    # Reference: https://tools.ietf.org/html/rfc8446#appendix-E.5
-    def call(env)
-      if env['HTTP_EARLY_DATA'].to_s == '1' &&
-         (env['REQUEST_METHOD'] != 'GET' || CurrentUser.has_auth_cookie?(env))
-        [
-          425,
-          { 'Content-Type' => 'text/html', 'Content-Length' => '9' },
-          ['Too Early']
-        ]
-      else
-        @app.call(env)
-      end
-    end
-  end
-end