From 4fccb8e72a746bd2475cdaa233d2fbcb224e79af Mon Sep 17 00:00:00 2001
From: gbutler <mulldug@cranklever.com>
Date: Thu, 7 May 2026 10:34:35 -0500
Subject: [PATCH] fix(oauth2): allow HTTP origins and fix trailing-slash
 mismatch for local dev
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Strip trailing slash from normalizeUrl() results in isOriginAllowed() so origins with/without trailing slash match registered values
- Conditionally skip HTTPS scheme enforcement when SSL.Enable is false, allowing HTTP clients in local dev
- Fix SSL.Enable config key lookup (server.SSL_Enable → server.ssl_enable) to match the key name defined in config/server.php
- Use getSchemeAndHttpHost() instead of hardcoded https:// prefix so the IDP base URL reflects the actual request scheme
- Add fastcgi_buffers directives to nginx config to prevent buffer overflow
---
 app/Models/OAuth2/Client.php                      | 6 +++---
 app/Services/Utils/ServerConfigurationService.php | 4 ++--
 config/server.php                                 | 1 +
 docker-compose/nginx/idp.conf                     | 2 ++
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/Models/OAuth2/Client.php b/app/Models/OAuth2/Client.php
index c01be875..b953be9b 100644
--- a/app/Models/OAuth2/Client.php
+++ b/app/Models/OAuth2/Client.php
@@ -809,9 +809,9 @@ public function isOriginAllowed(string $origin):bool
     {
         $originWithoutPort = URLUtils::canonicalUrl($origin, false);
         if(empty($originWithoutPort)) return false;
-        if(str_contains($this->allowed_origins, URLUtils::normalizeUrl($originWithoutPort) )) return true;
+        if(str_contains($this->allowed_origins, rtrim(URLUtils::normalizeUrl($originWithoutPort), '/') )) return true;
         $originWithPort = URLUtils::canonicalUrl($origin);
-        return str_contains($this->allowed_origins, URLUtils::normalizeUrl($originWithPort));
+        return str_contains($this->allowed_origins, rtrim(URLUtils::normalizeUrl($originWithPort), '/'));
     }
 
     public function getWebsite()
@@ -1097,7 +1097,7 @@ public function isPostLogoutUriAllowed($post_logout_uri)
         if ($parts == false) {
             return false;
         }
-        if($parts['scheme']!=='https')
+        if($parts['scheme']!=='https' && ServerConfigurationService::getConfigValue("SSL.Enable"))
             return false;
 
         $logout_without_port = $parts['scheme'].'://'.$parts['host'];
diff --git a/app/Services/Utils/ServerConfigurationService.php b/app/Services/Utils/ServerConfigurationService.php
index 70870f62..23ad2e08 100644
--- a/app/Services/Utils/ServerConfigurationService.php
+++ b/app/Services/Utils/ServerConfigurationService.php
@@ -159,7 +159,7 @@ public function __construct(
         $this->default_config_params["OAuth2SecurityPolicy.MaxInvalidRedeemAuthCodeAttempts"]    = Config::get('server.OAuth2SecurityPolicy_MaxInvalidRedeemAuthCodeAttempts', 10);
         $this->default_config_params["OAuth2SecurityPolicy.MaxInvalidClientCredentialsAttempts"] = Config::get('server.OAuth2SecurityPolicy_MaxInvalidClientCredentialsAttempts', 5);
         //ssl
-        $this->default_config_params["SSL.Enable"] = Config::get('server.SSL_Enable', true);
+        $this->default_config_params["SSL.Enable"] = Config::get('server.ssl_enable', true);
     }
 
     public function getUserIdentityEndpointURL($identifier)
@@ -250,7 +250,7 @@ public function getSiteUrl():string
         $request = request();
         if(!is_null($request))
         {
-            return 'https://'.$request->getHttpHost();
+            return $request->getSchemeAndHttpHost();
         }
         return Config::get('app.url');
     }
diff --git a/config/server.php b/config/server.php
index 62ba874a..d88b3168 100644
--- a/config/server.php
+++ b/config/server.php
@@ -15,6 +15,7 @@
 return array
 (
     'ssl_enabled'     => env('SSL_ENABLED', false),
+    'ssl_enable'      => env('SSL_ENABLED', false),
     'db_log_enabled'  => env('DB_LOG_ENABLED', false),
     'assets_base_url' => env('ASSETS_BASE_URL', null),
     'banning_enable'  => env('BANNING_ENABLE', true),
diff --git a/docker-compose/nginx/idp.conf b/docker-compose/nginx/idp.conf
index 4c6cbf44..55e9f0c9 100644
--- a/docker-compose/nginx/idp.conf
+++ b/docker-compose/nginx/idp.conf
@@ -12,6 +12,8 @@ server {
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
     }
     location / {
         try_files $uri $uri/ /index.php?$query_string;