If the gconfig.tls flag is set to false, the realm and returnUrl parameters in auth.js use "http" instead of "https", which is an issue if you're hosting this in a way where a proxy enforces TLS, because your token gets sent over unencrypted HTTP - or at least so I'm told. There are other cases where this might be an issue, such as the Spplice package repository, or pretty much any instance in which we rely on the gconfig.tls flag to assume what protocol the frontend is using.
This is a bit of a messy problem, but I propose just having two separate flags - one for whether the server should run with TLS, and one for whether the client is expected to connect with TLS.
If the
gconfig.tls
flag is set tofalse
, therealm
andreturnUrl
parameters inauth.js
use"http"
instead of"https"
, which is an issue if you're hosting this in a way where a proxy enforces TLS, because your token gets sent over unencrypted HTTP - or at least so I'm told. There are other cases where this might be an issue, such as the Spplice package repository, or pretty much any instance in which we rely on thegconfig.tls
flag to assume what protocol the frontend is using.This is a bit of a messy problem, but I propose just having two separate flags - one for whether the server should run with TLS, and one for whether the client is expected to connect with TLS.