Open jfly opened 7 years ago
I don't know where the redirect uri is configured.
Ok, after digging into HAPI internals, here's what I've found:
redirect_uri
is generated here (I'm pretty sure we're using the v2
version of the library, don't be confused by all the v1
stuff in this file).protocol
on the line above comes from this call to internals.getProtocol
.internals.getProtocol
is defined here. Are you running HAPI behind nginx or something? (I suspect that settings.location
is actually a http url). One solution would be to set settings.forceHttps
to true.Another solution might be to set settings.location
to something, which would short-circuit the internals.location
method here (called from here).
Bump! Was just looking at all the WCA OAuth applications and was reminded of this.
From Chrome dev tools when logging in:
/authorize
is the OAuth route on the WCA website. Theredirect_uri
parameter looks like this:redirect_uri=http%3A%2F%2Ffantasy.cubing.net%2Flogin
. Note the http, not https./login?
is a HTTP url on fantasy.cubing.net./login?
is a HTTPS url on fantasy.cubing.net.Fixing 1) should be some reconfiguration of HAPI's auth flow: https://github.com/coder13/fantasycubing/blob/a949667a6413d995eacf5c0fe6c2a611887197aa/server/auth/index.js#L12-L32. I don't know where the redirect uri is configured. However, fixing that won't be enough, you'll also need to configure the WCA website to allow redirects to the HTTPS url, right now I see over on https://www.worldcubeassociation.org/oauth/applications/13/edit that only
http://fantasy.cubing.net/login
is listed as a redirect uri, nothttps://fantasy.cubing.net/login
.