If the gconfig.tls flag is set to false, the realm and returnUrl parameters in auth.js use "http" instead of "https", which is an issue if you're hosting this in a way where a proxy enforces TLS, because your token gets sent over unencrypted HTTP - or at least so I'm told. There are other cases where this might be an issue, such as the Spplice package repository, or pretty much any instance in which we rely on the gconfig.tls flag to assume what protocol the frontend is using.
This is a bit of a messy problem, but I propose just having two separate flags - one for whether the server should run with TLS, and one for whether the client is expected to connect with TLS.
If the
gconfig.tlsflag is set tofalse, therealmandreturnUrlparameters inauth.jsuse"http"instead of"https", which is an issue if you're hosting this in a way where a proxy enforces TLS, because your token gets sent over unencrypted HTTP - or at least so I'm told. There are other cases where this might be an issue, such as the Spplice package repository, or pretty much any instance in which we rely on thegconfig.tlsflag to assume what protocol the frontend is using.This is a bit of a messy problem, but I propose just having two separate flags - one for whether the server should run with TLS, and one for whether the client is expected to connect with TLS.