Ensure OIDC endpoints use https behind reverse proxy

Set x-forwarded-proto header on requests before passing to
oidc-provider so generated URLs use https:// in production.

server/routes/.well-known/openid-configuration.get.ts

@@ -14,6 +14,11 @@ export default defineEventHandler(async (event) => {
   // The provider expects the path relative to its root
   req.url = "/.well-known/openid-configuration";
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {
     callback(req, res, (err: unknown) => {