Require https callback in production, allow for http otherwise

5 years ago · d7bbae9196
1 changed files with 3 additions and 1 deletions
--- a/packages/worker/src/api/controllers/admin/auth.js
+++ b/packages/worker/src/api/controllers/admin/auth.js
@ -144,7 +144,9 @@ async function oidcStrategyFactory(ctx, configId) {

  const chosenConfig = config.configs.filter(c => c.uuid === configId)[0]

-  const callbackUrl = `${ctx.protocol}://${ctx.host}/api/admin/auth/oidc/callback`
+  // require https callback in production
+  const protocol = process.env.NODE_ENV === "production" ? "https" : "http"
+  const callbackUrl = `${protocol}://${ctx.host}/api/admin/auth/oidc/callback`

  return oidc.strategyFactory(chosenConfig, callbackUrl)
 }