From ba92075366443a4ea67df5d969511b45b881bc10 Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Thu, 5 Mar 2026 22:42:12 +0000
Subject: [PATCH] Fix OIDC issuer generating http:// URLs in production

The OIDC provider was falling back to config.public.appUrl for its
issuer, which could resolve to an http:// URL. This caused the logout
form action to use http://, violating the CSP form-action directive.
Hardcode the issuer fallback to https://ghostguild.org.
---
 server/middleware/02.security-headers.js | 2 +-
 server/utils/oidc-provider.ts            | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
index 25d0b1a..f29ce86 100644
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@@ -20,7 +20,7 @@ export default defineEventHandler((event) => {
       "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
       "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
       "base-uri 'self'",
-      "form-action 'self' https://ghostguild.org",
+      "form-action 'self'",
     ].join('; ')
   }
 
diff --git a/server/utils/oidc-provider.ts b/server/utils/oidc-provider.ts
index e67e6fa..8a76ba8 100644
--- a/server/utils/oidc-provider.ts
+++ b/server/utils/oidc-provider.ts
@@ -139,8 +139,7 @@ export async function getOidcProvider() {
   if (_provider) return _provider;
 
   const config = useRuntimeConfig();
-  const issuer =
-    process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
+  const issuer = process.env.OIDC_ISSUER || "https://ghostguild.org";
 
   _provider = new Provider(issuer, {
     adapter: MongoAdapter,