mirror of
https://github.com/ajnart/homarr.git
synced 2026-02-26 16:30:57 +01:00
fix(auth): oidc redirect does not respect https protocol (#1763)
This commit is contained in:
@@ -149,7 +149,7 @@ jobs:
|
||||
with:
|
||||
platforms: linux/amd64,linux/arm64
|
||||
context: .
|
||||
push: ${{ env.PUSH_IMAGE}}
|
||||
push: ${{ env.PUSH_IMAGE }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
network: host
|
||||
|
||||
@@ -21,7 +21,7 @@ http {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -23,7 +23,8 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
|
||||
authorization: {
|
||||
params: {
|
||||
scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
|
||||
redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc"),
|
||||
// We fallback to https as generally oidc providers require https
|
||||
redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc", "https"),
|
||||
},
|
||||
},
|
||||
profile(profile) {
|
||||
|
||||
@@ -8,12 +8,16 @@ import { extractBaseUrlFromHeaders } from "@homarr/common";
|
||||
* @param pathname
|
||||
* @returns
|
||||
*/
|
||||
export const createRedirectUri = (headers: ReadonlyHeaders | null, pathname: string) => {
|
||||
export const createRedirectUri = (
|
||||
headers: ReadonlyHeaders | null,
|
||||
pathname: string,
|
||||
fallbackProtocol: "http" | "https" = "http",
|
||||
) => {
|
||||
if (!headers) {
|
||||
return pathname;
|
||||
}
|
||||
|
||||
const baseUrl = extractBaseUrlFromHeaders(headers);
|
||||
const baseUrl = extractBaseUrlFromHeaders(headers, fallbackProtocol);
|
||||
|
||||
const path = pathname.startsWith("/") ? pathname : `/${pathname}`;
|
||||
|
||||
|
||||
@@ -4,8 +4,16 @@ export const removeTrailingSlash = (path: string) => {
|
||||
return path.at(-1) === "/" ? path.substring(0, path.length - 1) : path;
|
||||
};
|
||||
|
||||
export const extractBaseUrlFromHeaders = (headers: ReadonlyHeaders): `${string}://${string}` => {
|
||||
let protocol = headers.get("x-forwarded-proto") ?? "http";
|
||||
export const extractBaseUrlFromHeaders = (
|
||||
headers: ReadonlyHeaders,
|
||||
fallbackProtocol: "http" | "https" = "http",
|
||||
): `${string}://${string}` => {
|
||||
let protocol = headers.get("x-forwarded-proto");
|
||||
|
||||
// If the protocol is not set or an empty string
|
||||
if (!protocol) {
|
||||
protocol = fallbackProtocol;
|
||||
}
|
||||
|
||||
// @see https://support.glitch.com/t/x-forwarded-proto-contains-multiple-protocols/17219
|
||||
if (protocol.includes(",")) {
|
||||
|
||||
Reference in New Issue
Block a user