Fix OIDC logout form posting to http:// behind reverse proxy

The oidc-provider generates form actions using http:// despite proxy trust settings, causing an insecure form submission warning. Rewrite the form action URL to https:// before rendering.
2026-03-05 23:11:00 +00:00 · 2026-03-05 23:11:00 +00:00 · ba5cce62fb
commit ba5cce62fb
parent fed1cc4bc7
1 changed files with 3 additions and 1 deletions
--- a/server/utils/oidc-provider.ts
+++ b/server/utils/oidc-provider.ts
@ -214,11 +214,13 @@ export async function getOidcProvider() {
      rpInitiatedLogout: {
        enabled: true,
        logoutSource: async (ctx: any, form: string) => {
+          // oidc-provider generates http:// form actions behind reverse proxy
+          const secureForm = form.replace('http://ghostguild.org', 'https://ghostguild.org');
          ctx.body = guildPageShell("Sign Out", `
            <h1>Sign Out</h1>
            <p>Do you want to sign out of your Ghost Guild session?</p>
            <p class="subtext">This will sign you out of the wiki and any other connected services.</p>
-            ${form}
+            ${secureForm}
            <div class="actions">
              <button class="btn-primary" form="op.logoutForm" type="submit" value="yes" name="logout">Yes, sign me out</button>
              <a class="btn-secondary" href="https://wiki.ghostguild.org">Stay signed in</a>