Merge pull request #4635 from Vito0912/feat/OIDCfix

Fix Invalid callback URL - must be same-origin for NPM users
2025-09-06 17:51:08 +02:00 · 2025-09-02 18:18:52 -04:00 · 2025-09-02 18:18:52 -04:00 · 7d048b7a50
commit 7d048b7a50
parent c7c21cc137 50e2fe7fd2
1 changed files with 10 additions and 1 deletions
--- a/server/auth/OidcAuthStrategy.js
+++ b/server/auth/OidcAuthStrategy.js
@ -527,7 +527,16 @@ class OidcAuthStrategy {

      // For absolute URLs, ensure they point to the same origin
      const callbackUrlObj = new URL(callbackUrl)
-      const currentProtocol = req.secure || req.get('x-forwarded-proto') === 'https' ? 'https' : 'http'
+      // NPM appends both http and https in x-forwarded-proto sometimes, so we need to check for both
+      const xfp = (req.get('x-forwarded-proto') || '').toLowerCase()
+      const currentProtocol =
+        req.secure ||
+        xfp
+          .split(',')
+          .map((s) => s.trim())
+          .includes('https')
+          ? 'https'
+          : 'http'
      const currentHost = req.get('host')

      // Check if protocol and host match exactly