Ensure OIDC endpoints use https behind reverse proxy

Set x-forwarded-proto header on requests before passing to
oidc-provider so generated URLs use https:// in production.

server/routes/.well-known/openid-configuration.get.ts

@@ -14,6 +14,11 @@ export default defineEventHandler(async (event) => {
   // The provider expects the path relative to its root
   req.url = "/.well-known/openid-configuration";
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {
     callback(req, res, (err: unknown) => {

server/routes/oidc/[...].ts

@@ -17,6 +17,11 @@ export default defineEventHandler(async (event) => {
   // The provider's routes config includes the /oidc prefix,
   // so pass the full path through without stripping.
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {