| 637 | } |
| 638 | |
| 639 | func (h *OidcHandler) requireHTTPS(w http.ResponseWriter, r *http.Request) bool { |
| 640 | h.clientMu.RLock() |
| 641 | resolved := h.resolved |
| 642 | h.clientMu.RUnlock() |
| 643 | if resolved != nil && !resolved.EnforceHTTPS { |
| 644 | return false |
| 645 | } |
| 646 | if h.cfg.Env != "production" { |
| 647 | return false |
| 648 | } |
| 649 | secure := r.TLS != nil |
| 650 | if !secure && h.resolvedCfg != nil && h.resolvedCfg.TrustProxy { |
| 651 | secure = r.Header.Get("X-Forwarded-Proto") == "https" |
| 652 | } |
| 653 | if !secure { |
| 654 | if h.log != nil { |
| 655 | h.log.Error("oidc rejected: HTTPS required") |
| 656 | } |
| 657 | Error(w, http.StatusForbidden, "HTTPS required for authentication") |
| 658 | return true |
| 659 | } |
| 660 | return false |
| 661 | } |
| 662 | |
| 663 | func generateState() string { |
| 664 | b := make([]byte, 32) |