fix(auth): oidc redirect does not respect https protocol (#1763)

2026-02-26 16:30:57 +01:00 · 2024-12-24 14:15:34 +01:00
parent e220087e96
commit 0336803550
5 changed files with 20 additions and 7 deletions
--- a/.github/workflows/deployment-docker-image.yml
+++ b/.github/workflows/deployment-docker-image.yml
@@ -149,7 +149,7 @@ jobs:
        with:
          platforms: linux/amd64,linux/arm64
          context: .
-          push: ${{ env.PUSH_IMAGE}}
+          push: ${{ env.PUSH_IMAGE }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          network: host
--- a/nginx.conf
+++ b/nginx.conf
@@ -21,7 +21,7 @@ http {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        }
    }
 }
--- a/packages/auth/providers/oidc/oidc-provider.ts
+++ b/packages/auth/providers/oidc/oidc-provider.ts
@@ -23,7 +23,8 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
  authorization: {
    params: {
      scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
-      redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc"),
+      // We fallback to https as generally oidc providers require https
+      redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc", "https"),
    },
  },
  profile(profile) {
--- a/packages/auth/redirect.ts
+++ b/packages/auth/redirect.ts
@@ -8,12 +8,16 @@ import { extractBaseUrlFromHeaders } from "@homarr/common";
 * @param pathname
 * @returns
 */
-export const createRedirectUri = (headers: ReadonlyHeaders | null, pathname: string) => {
+export const createRedirectUri = (
+  headers: ReadonlyHeaders | null,
+  pathname: string,
+  fallbackProtocol: "http" | "https" = "http",
+) => {
  if (!headers) {
    return pathname;
  }

-  const baseUrl = extractBaseUrlFromHeaders(headers);
+  const baseUrl = extractBaseUrlFromHeaders(headers, fallbackProtocol);

  const path = pathname.startsWith("/") ? pathname : `/${pathname}`;

--- a/packages/common/src/url.ts
+++ b/packages/common/src/url.ts
@@ -4,8 +4,16 @@ export const removeTrailingSlash = (path: string) => {
  return path.at(-1) === "/" ? path.substring(0, path.length - 1) : path;
 };

-export const extractBaseUrlFromHeaders = (headers: ReadonlyHeaders): `${string}://${string}` => {
-  let protocol = headers.get("x-forwarded-proto") ?? "http";
+export const extractBaseUrlFromHeaders = (
+  headers: ReadonlyHeaders,
+  fallbackProtocol: "http" | "https" = "http",
+): `${string}://${string}` => {
+  let protocol = headers.get("x-forwarded-proto");
+
+  // If the protocol is not set or an empty string
+  if (!protocol) {
+    protocol = fallbackProtocol;
+  }

  // @see https://support.glitch.com/t/x-forwarded-proto-contains-multiple-protocols/17219
  if (protocol.includes(",")) {