From 50e2fe7fd22d03915a2c17ff5248b7ca1e245944 Mon Sep 17 00:00:00 2001
From: Vito0912 <86927734+Vito0912@users.noreply.github.com>
Date: Sat, 30 Aug 2025 17:46:26 +0200
Subject: [PATCH] Fix http/https error

---
 server/auth/OidcAuthStrategy.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/auth/OidcAuthStrategy.js b/server/auth/OidcAuthStrategy.js
index 0780b7612..64ab82448 100644
--- a/server/auth/OidcAuthStrategy.js
+++ b/server/auth/OidcAuthStrategy.js
@@ -527,7 +527,16 @@ class OidcAuthStrategy {
 
       // For absolute URLs, ensure they point to the same origin
       const callbackUrlObj = new URL(callbackUrl)
-      const currentProtocol = req.secure || req.get('x-forwarded-proto') === 'https' ? 'https' : 'http'
+      // NPM appends both http and https in x-forwarded-proto sometimes, so we need to check for both
+      const xfp = (req.get('x-forwarded-proto') || '').toLowerCase()
+      const currentProtocol =
+        req.secure ||
+        xfp
+          .split(',')
+          .map((s) => s.trim())
+          .includes('https')
+          ? 'https'
+          : 'http'
       const currentHost = req.get('host')
 
       // Check if protocol and host match exactly