fix: make sure openid config uses https scheme when not localhost

obiba · Nov 29, 2023 · 84acb73 · 84acb73
1 parent 6a28ed5
commit 84acb73
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/agate-core/src/main/java/org/obiba/agate/service/ConfigurationService.java b/agate-core/src/main/java/org/obiba/agate/service/ConfigurationService.java
@@ -122,10 +122,14 @@ public String getBaseURL(HttpServletRequest request) {
     String baseURL;
     if (Strings.isNullOrEmpty(host))
       baseURL = getPublicUrl();
-    else if (Strings.isNullOrEmpty(getContextPath()))
-      baseURL = String.format("%s://%s", request.getScheme(), host);
-    else
-      baseURL = String.format("%s://%s%s", request.getScheme(), host, getContextPath());
+    else {
+      // enforce https scheme for non localhost connection
+      String scheme = host.startsWith("localhost:") || host.startsWith("127.0.0.1:") ? request.getScheme() : "https";
+      if (Strings.isNullOrEmpty(getContextPath()))
+        baseURL = String.format("%s://%s", scheme, host);
+      else
+        baseURL = String.format("%s://%s%s", scheme, host, getContextPath());
+    }
     return baseURL;
   }