jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(auth): oidc redirect does not respect https protocol (#1763)

Browse Source
This commit is contained in:
Meier Lukas
2024-12-24 14:15:34 +01:00
committed by GitHub
parent e220087e96
commit 0336803550
5 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/deployment-docker-image.yml vendored
View File

@@ -149,7 +149,7 @@ jobs:
with: with:
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64
context: . context: .
push: ${{ env.PUSH_IMAGE}} push: ${{ env.PUSH_IMAGE }}
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
network: host network: host

2
nginx.conf
View File

@@ -21,7 +21,7 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
} }
} }
} }

3
packages/auth/providers/oidc/oidc-provider.ts
View File

@@ -23,7 +23,8 @@ export const OidcProvider = (headers: ReadonlyHeaders | null): OIDCConfig<Profil
authorization: { authorization: {
params: { params: {
scope: env.AUTH_OIDC_SCOPE_OVERWRITE, scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc"), // We fallback to https as generally oidc providers require https
redirect_uri: createRedirectUri(headers, "/api/auth/callback/oidc", "https"),
}, },
}, },
profile(profile) { profile(profile) {

8
packages/auth/redirect.ts
View File

@@ -8,12 +8,16 @@ import { extractBaseUrlFromHeaders } from "@homarr/common";
* @param pathname * @param pathname
* @returns * @returns
*/ */
export const createRedirectUri = (headers: ReadonlyHeaders | null, pathname: string) => { export const createRedirectUri = (
headers: ReadonlyHeaders | null,
pathname: string,
fallbackProtocol: "http" | "https" = "http",
) => {
if (!headers) { if (!headers) {
return pathname; return pathname;
} }
const baseUrl = extractBaseUrlFromHeaders(headers); const baseUrl = extractBaseUrlFromHeaders(headers, fallbackProtocol);
const path = pathname.startsWith("/") ? pathname : `/${pathname}`; const path = pathname.startsWith("/") ? pathname : `/${pathname}`;

12
packages/common/src/url.ts
View File

@@ -4,8 +4,16 @@ export const removeTrailingSlash = (path: string) => {
return path.at(-1) === "/" ? path.substring(0, path.length - 1) : path; return path.at(-1) === "/" ? path.substring(0, path.length - 1) : path;
}; };
export const extractBaseUrlFromHeaders = (headers: ReadonlyHeaders): `${string}://${string}` => { export const extractBaseUrlFromHeaders = (
let protocol = headers.get("x-forwarded-proto") ?? "http"; headers: ReadonlyHeaders,
fallbackProtocol: "http" | "https" = "http",
): `${string}://${string}` => {
let protocol = headers.get("x-forwarded-proto");
// If the protocol is not set or an empty string
if (!protocol) {
protocol = fallbackProtocol;
}
// @see https://support.glitch.com/t/x-forwarded-proto-contains-multiple-protocols/17219 // @see https://support.glitch.com/t/x-forwarded-proto-contains-multiple-protocols/17219
if (protocol.includes(",")) { if (protocol.includes(",")) {