chore: Only use HTTPS URLs in production

doorkeeper-gem · Oct 5, 2016 · 2618e04 · 2618e04
1 parent 87a6577
commit 2618e04
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 10 deletions.
diff --git a/app/controllers/doorkeeper/openid_connect/discovery_controller.rb b/app/controllers/doorkeeper/openid_connect/discovery_controller.rb
@@ -24,10 +24,10 @@ def provider_response
         openid_connect = ::Doorkeeper::OpenidConnect.configuration
         {
           issuer: openid_connect.issuer,
-          authorization_endpoint: oauth_authorization_url(protocol: :https),
-          token_endpoint: oauth_token_url(protocol: :https),
-          userinfo_endpoint: oauth_userinfo_url(protocol: :https),
-          jwks_uri: oauth_discovery_keys_url(protocol: :https),
+          authorization_endpoint: oauth_authorization_url(protocol: protocol),
+          token_endpoint: oauth_token_url(protocol: protocol),
+          userinfo_endpoint: oauth_userinfo_url(protocol: protocol),
+          jwks_uri: oauth_discovery_keys_url(protocol: protocol),
 
           scopes_supported: doorkeeper.scopes,
 
@@ -62,7 +62,7 @@ def webfinger_response
           links: [
             {
               rel: WEBFINGER_RELATION,
-              href: root_url(protocol: :https),
+              href: root_url(protocol: protocol),
             }
           ]
         }
@@ -80,6 +80,14 @@ def keys_response
           ]
         }
       end
+
+      def protocol
+        if ::Rails.env.production?
+          :https
+        else
+          :http
+        end
+      end
     end
   end
 end
diff --git a/spec/controllers/doorkeeper/openid_connect/discovery_controller_spec.rb b/spec/controllers/doorkeeper/openid_connect/discovery_controller_spec.rb
@@ -8,10 +8,10 @@
 
       expect(data.sort).to eq({
         'issuer' => 'dummy',
-        'authorization_endpoint' => 'https://test.host/oauth/authorize',
-        'token_endpoint' => 'https://test.host/oauth/token',
-        'userinfo_endpoint' => 'https://test.host/oauth/userinfo',
-        'jwks_uri' => 'https://test.host/oauth/discovery/keys',
+        'authorization_endpoint' => 'http://test.host/oauth/authorize',
+        'token_endpoint' => 'http://test.host/oauth/token',
+        'userinfo_endpoint' => 'http://test.host/oauth/userinfo',
+        'jwks_uri' => 'http://test.host/oauth/discovery/keys',
 
         'scopes_supported' => ['openid'],
 
@@ -32,6 +32,15 @@
         ],
       }.sort)
     end
+
+    it 'uses HTTPS URLs in production' do
+      allow(Rails.env).to receive(:production?).and_return(true)
+
+      get :provider
+      data = JSON.parse(response.body)
+
+      expect(data['authorization_endpoint']).to eq 'https://test.host/oauth/authorize'
+    end
   end
 
   describe '#webfinger' do
@@ -49,7 +58,7 @@
         'subject' => '[email protected]',
         'links' => [
           'rel' => 'http://openid.net/specs/connect/1.0/issuer',
-          'href' => 'https://test.host/',
+          'href' => 'http://test.host/',
         ],
       }.sort)
     end