From eb8d8578643072aa47d0b16633099c023072f3da Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Fri, 23 Jul 2021 15:47:48 +0100 Subject: [PATCH] Require https callback in production, allow for http otherwise --- packages/worker/src/api/controllers/admin/auth.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/worker/src/api/controllers/admin/auth.js b/packages/worker/src/api/controllers/admin/auth.js index 2a641e6194..3cdfc1b774 100644 --- a/packages/worker/src/api/controllers/admin/auth.js +++ b/packages/worker/src/api/controllers/admin/auth.js @@ -144,7 +144,9 @@ async function oidcStrategyFactory(ctx, configId) { const chosenConfig = config.configs.filter(c => c.uuid === configId)[0] - const callbackUrl = `${ctx.protocol}://${ctx.host}/api/admin/auth/oidc/callback` + // require https callback in production + const protocol = process.env.NODE_ENV === "production" ? "https" : "http" + const callbackUrl = `${protocol}://${ctx.host}/api/admin/auth/oidc/callback` return oidc.strategyFactory(chosenConfig, callbackUrl) }