Connecting to ORCID with secure_eprints_session cookie SameSite=Strict

[drn05r]

Since EPrints 3.4.5 the secure_eprints_session cookie has set its SameSite attribute to Strict. This creates a problem when ORCID redirects back to the EPrints repository (/cgi/orcid/authenticate) after authenticating the user on ORCID. Because of SameSite=Strict, the cookie is not immediately accessible so /cgi/users/authenticate. cannot lookup the current user as required. So you end up with the page reporting an error.

As similar approach to the problem with Shibboleth login (and redirect loops) could be used to fix it. Below is a code block that I added the script sets $current_user and only does anything if this is undefined:

unless ( defined $current_user )
{
        my $url = $repo->config( 'orcid_support_advance', 'redirect_uri' ) . "?code=$authcode&state=$state&error=$error&error_description=$error_desc";
        $repo->send_http_header( content_type=>"text/html" );
        print '<html><head><meta http-equiv="refresh" content="0;url=' . $url . '"/></head><body></body></html>';
        exit;
}

What are people's thoughts on this. It is not ideal and I suspect there may be a slightly less ugly way to solve this. So I thought it worth submitting this as an issue first rather than just a pull request.

[drn05r]

Probably worth having some loop detection:

unless ( defined $current_user )
{
        if ( $repo->param( 'redirected' ) )
        {
                EPrints::abort( "Cannot determine current user." );
        }
        my $url = $repo->config( 'orcid_support_advance', 'redirect_uri' ) . "?code=$authcode&state=$state&error=$error&error_description=$error_desc&redirected=1";
        $repo->send_http_header( content_type=>"text/html" );
        print '<html><head><meta http-equiv="refresh" content="0;url=' . $url . '"/></head><body></body></html>';
        exit;
}