Fix OIDC issuer generating http:// URLs in production

The OIDC provider was falling back to config.public.appUrl for its issuer, which could resolve to an http:// URL. This caused the logout form action to use http://, violating the CSP form-action directive. Hardcode the issuer fallback to https://ghostguild.org.
2026-03-05 22:42:12 +00:00 · 2026-03-05 22:42:12 +00:00 · ba92075366
commit ba92075366
parent 17d29647b4
2 changed files with 2 additions and 3 deletions
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@ -20,7 +20,7 @@ export default defineEventHandler((event) => {
      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
      "base-uri 'self'",
-      "form-action 'self' https://ghostguild.org",
+      "form-action 'self'",
    ].join('; ')
  }

--- a/server/utils/oidc-provider.ts
+++ b/server/utils/oidc-provider.ts
@ -139,8 +139,7 @@ export async function getOidcProvider() {
  if (_provider) return _provider;

  const config = useRuntimeConfig();
-  const issuer =
-    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
+  const issuer = process.env.OIDC_ISSUER || "https://ghostguild.org";

  _provider = new Provider(issuer, {
    adapter: MongoAdapter,