@adobe/helix-html-pipeline 3.4.6 → 3.5.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [3.5.0](https://github.com/adobe/helix-html-pipeline/compare/v3.4.6...v3.5.0) (2022-10-26)
+
+
+### Features
+
+* respect x-forwarded-proto in auth ([#171](https://github.com/adobe/helix-html-pipeline/issues/171)) ([cae61e1](https://github.com/adobe/helix-html-pipeline/commit/cae61e15f16903bc298c4dd5a4a6f7b1379e5ae5))
+
 ## [3.4.6](https://github.com/adobe/helix-html-pipeline/compare/v3.4.5...v3.4.6) (2022-10-22)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.4.6",
+  "version": "3.5.0",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -48,7 +48,7 @@
     "hast-util-to-html": "8.0.3",
     "hast-util-to-string": "2.0.0",
     "hastscript": "7.1.0",
-    "jose": "4.10.0",
+    "jose": "4.10.3",
     "mdast-util-gfm-footnote": "1.0.1",
     "mdast-util-gfm-strikethrough": "1.0.1",
     "mdast-util-gfm-table": "1.0.6",
@@ -81,7 +81,7 @@
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "9.0.1",
     "c8": "7.12.0",
-    "eslint": "8.25.0",
+    "eslint": "8.26.0",
     "eslint-import-resolver-exports": "1.0.0-beta.3",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.26.0",
@@ -91,7 +91,7 @@
     "jsdom": "20.0.1",
     "junit-report-builder": "3.0.1",
     "lint-staged": "13.0.3",
-    "mocha": "10.0.0",
+    "mocha": "10.1.0",
     "mocha-multi-reporters": "1.5.1",
     "remark-gfm": "3.0.1",
     "semantic-release": "19.0.5"

package/src/utils/auth.js

@@ -79,9 +79,9 @@ export async function decodeIdToken(state, idp, idToken, lenient = false) {
  *
  * @param {PipelineState} state
  * @param {PipelineRequest} req
- * @return {string}
+ * @returns {{proto: (*|string), host: string}} the request host and protocol.
  */
-function getRequestHost(state, req) {
+function getRequestHostAndProto(state, req) {
   // determine the location of 'this' document based on the xfh header. so that logins to
   // .page stay on .page. etc. but fallback to the config.host if non set
   let host = req.headers.get('x-forwarded-host');
@@ -91,8 +91,12 @@ function getRequestHost(state, req) {
   if (!host) {
     host = state.config.host;
   }
-  state.log.info(`request host is: ${host}`);
-  return host;
+  const proto = req.headers.get('x-forwarded-proto') || 'https';
+  state.log.info(`request host is: ${host} (${proto})`);
+  return {
+    host,
+    proto,
+  };
 }
 
 /**
@@ -181,7 +185,7 @@ export class AuthInfo {
 
     // determine the location of 'this' document based on the xfh header. so that logins to
     // .page stay on .page. etc. but fallback to the config.host if non set
-    const host = getRequestHost(state, req);
+    const { host, proto } = getRequestHostAndProto(state, req);
     if (!host) {
       log.error('[auth] unable to create login redirect: no xfh or config.host.');
       res.status = 401;
@@ -199,6 +203,7 @@ export class AuthInfo {
       // this is our own login redirect, i.e. the current document
       requestPath: state.info.path,
       requestHost: host,
+      requestProto: proto,
     }).encode();
 
     url.searchParams.append('client_id', clientId);
@@ -239,9 +244,9 @@ export class AuthInfo {
 
     // ensure that the request is made to the target host
     if (req.params.state?.requestHost) {
-      const host = getRequestHost(state, req);
+      const { host } = getRequestHostAndProto(state, req);
       if (host !== req.params.state.requestHost) {
-        const url = new URL(`https://${req.params.state.requestHost}/.auth`);
+        const url = new URL(`${req.params.state.requestProto}://${req.params.state.requestHost}/.auth`);
         url.searchParams.append('state', req.params.rawState);
         url.searchParams.append('code', req.params.code);
         const location = state.createExternalLocation(url.href);