From 576285634d46558e7b7d08838076efda83c88120 Mon Sep 17 00:00:00 2001
From: Lucy Thien <luthien-m@users.noreply.github.com>
Date: Wed, 25 Feb 2026 03:29:00 +0000
Subject: [PATCH] fix: default to https for non-localhost OAuth callbacks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When behind a TLS-terminating proxy (Caddy, nginx, etc) that doesn't
set X-Forwarded-Proto, req.protocol returns http since the proxy→app
connection is plain HTTP. Now defaults to https for any non-localhost
host, which is the correct assumption for production deployments.
---
 src/routes/ui/shared.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/routes/ui/shared.js b/src/routes/ui/shared.js
index 6509025..b66dab5 100644
--- a/src/routes/ui/shared.js
+++ b/src/routes/ui/shared.js
@@ -12,8 +12,9 @@ export const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
  */
 export function getBaseUrl(req) {
   if (process.env.BASE_URL) return process.env.BASE_URL;
-  const proto = req.headers['x-forwarded-proto'] || req.protocol || 'http';
   const host = req.headers['x-forwarded-host'] || req.headers.host || `localhost:${PORT}`;
+  const isLocal = host.startsWith('localhost') || host.startsWith('127.0.0.1');
+  const proto = req.headers['x-forwarded-proto'] || (isLocal ? 'http' : 'https');
   return `${proto}://${host}`;
 }