🐞 fix (AUTH): wrong URL in prod, rely on reverse proxy headers!

branch: main
DeutscheModelUnitedNations · Jul 17, 2024 · 60bfd31 · 60bfd31
1 parent adc2b44
commit 60bfd31
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/src/api/auth/flow.ts b/src/api/auth/flow.ts
@@ -34,11 +34,6 @@ type OIDCFlowState = {
 };
 
 export function startSignin(visitedUrl: URL) {
-	//TODO https://github.com/gornostay25/svelte-adapter-bun/issues/62
-	if (dynamicPrivateConfig.NODE_ENV === 'production') {
-		console.info('Production mode detected, redirecting to HTTPS', visitedUrl.toString());
-		visitedUrl = new URL(visitedUrl.toString().replace('http://', 'https://'));
-	}
 	const code_verifier = generators.codeVerifier();
 	const encrypted_verifier = cryptr.encrypt(code_verifier);
 	const code_challenge = generators.codeChallenge(code_verifier);

diff --git a/src/routes/(authenticated)/+layout.server.ts b/src/routes/(authenticated)/+layout.server.ts
@@ -9,8 +9,9 @@ import {
 	tokensCookieName
 } from '$api/auth/flow';
 import type { TokenCookieSchemaType } from '$api/auth/oidc';
+import { dynamicPrivateConfig } from '$config/private';
 
-export const load: LayoutServerLoad = async ({ url, cookies }) => {
+export const load: LayoutServerLoad = async ({ cookies, url, request }) => {
 	// are we signed in?
 	const existingTokens = cookies.get(tokensCookieName);
 	if (existingTokens) {
@@ -49,14 +50,21 @@ export const load: LayoutServerLoad = async ({ url, cookies }) => {
 			};
 		}
 	}
-
 	// if not, start the signin process
-	const { encrypted_verifier, redirect_uri } = startSignin(url);
+
+	//TODO https://github.com/gornostay25/svelte-adapter-bun/issues/62
+	const { encrypted_verifier, redirect_uri } = startSignin(
+		dynamicPrivateConfig.NODE_ENV === 'production'
+			? new URL(
+					`${request.headers.get('x-forwarded-proto')}://${request.headers.get('x-forwarded-host')}${url.pathname}${url.search}`
+				)
+			: url
+	);
 
 	cookies.set(codeVerifierCookieName, encrypted_verifier, {
 		sameSite: 'lax',
 		maxAge: 60 * 5,
-		path: '/',
+		path: '/'
 	});
 
 	redirect(302, redirect_uri);

diff --git a/src/routes/auth/login-callback/+page.server.ts b/src/routes/auth/login-callback/+page.server.ts
@@ -1,13 +1,21 @@
 import { codeVerifierCookieName, resolveSignin, tokensCookieName } from '$api/auth/flow';
 import type { TokenCookieSchemaType } from '$api/auth/oidc';
+import { dynamicPrivateConfig } from '$config/private';
 import type { PageServerLoad } from './$types';
 import { error, redirect } from '@sveltejs/kit';
 
-export const load: PageServerLoad = async ({ url, cookies }) => {
+export const load: PageServerLoad = async ({ url, cookies, request }) => {
 	const verifier = cookies.get(codeVerifierCookieName);
 	if (!verifier) error(400, 'No code verifier cookie found.');
 
-	const { state, tokenSet } = await resolveSignin(url, verifier);
+	const { state, tokenSet } = await resolveSignin(
+		dynamicPrivateConfig.NODE_ENV === 'production'
+			? new URL(
+					`${request.headers.get('x-forwarded-proto')}://${request.headers.get('x-forwarded-host')}${url.pathname}${url.search}`
+				)
+			: url,
+		verifier
+	);
 
 	const cookieValue: TokenCookieSchemaType = {
 		access_token: tokenSet.access_token,
@@ -24,7 +32,7 @@ export const load: PageServerLoad = async ({ url, cookies }) => {
 		// we need lax to allow the token to be sent with redirect from the auth provider
 		sameSite: 'lax',
 		path: '/',
-		expires: tokenSet.expires_at ? new Date(tokenSet.expires_at * 1000) : undefined,
+		expires: tokenSet.expires_at ? new Date(tokenSet.expires_at * 1000) : undefined
 	});
 
 	cookies.delete(codeVerifierCookieName, { path: '/' });