jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix OIDC issuer generating http:// URLs in production

Browse source 
The OIDC provider was falling back to config.public.appUrl for its
issuer, which could resolve to an http:// URL. This caused the logout
form action to use http://, violating the CSP form-action directive.
Hardcode the issuer fallback to https://ghostguild.org.
This commit is contained in:
Jennie Robinson Faber 2026-03-05 22:42:12 +00:00
parent 17d29647b4
commit ba92075366
2 changed files with 2 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
server/middleware/02.security-headers.js
View file

@ -20,7 +20,7 @@ export default defineEventHandler((event) => {
"connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io", "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
"frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com", "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
"base-uri 'self'", "base-uri 'self'",
"form-action 'self' https://ghostguild.org", "form-action 'self'",
].join('; ') ].join('; ')
} }

3
server/utils/oidc-provider.ts
View file

@ -139,8 +139,7 @@ export async function getOidcProvider() {
if (_provider) return _provider; if (_provider) return _provider;
const config = useRuntimeConfig(); const config = useRuntimeConfig();
const issuer = const issuer = process.env.OIDC_ISSUER || "https://ghostguild.org";
process.env.OIDC_ISSUER || config.public.appUrl || "https://ghostguild.org";
_provider = new Provider(issuer, { _provider = new Provider(issuer, {
adapter: MongoAdapter, adapter: MongoAdapter,