From 564f132d806f5127d8c122ef7517be472918496b Mon Sep 17 00:00:00 2001
From: Thatsaphorn Atchariyaphap <thatsaphorn@outlook.de>
Date: Sat, 14 Jun 2025 08:48:39 +0200
Subject: [PATCH] Update `auth.lua` to validate `KEYCLOAK_CLIENT_SECRET` and
 adjust redirect URI logic.

---
 auth.lua | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/auth.lua b/auth.lua
index 9644abc..7b28f06 100644
--- a/auth.lua
+++ b/auth.lua
@@ -1,17 +1,18 @@
 local openidc = require("resty.openidc")
 
--- Determine the correct redirect URI
-local scheme = ngx.var.scheme
-local host = ngx.var.http_host
-local request_uri = ngx.var.request_uri
-local redirect_uri = scheme .. "://" .. host .. request_uri
+local client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")
+if not client_secret then
+  ngx.log(ngx.ERR, "Missing KEYCLOAK_CLIENT_SECRET env variable")
+  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+end
 
 local opts = {
-  redirect_uri = redirect_uri,  -- ✅ use full URI dynamically
+  redirect_uri_path = "/redirect_uri",
   discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
   client_id = "demo-sso",
-  client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
+  client_secret = client_secret,
   scope = "openid email profile",
+  redirect_uri_scheme = "https",
   ssl_verify = "no"
 }
 
@@ -23,6 +24,6 @@ if err then
   ngx.exit(ngx.HTTP_FORBIDDEN)
 end
 
--- Optional: Forward useful info to upstream
 ngx.req.set_header("X-User", res.user.preferred_username or "")
 ngx.req.set_header("X-Email", res.user.email or "")
+ngx.status = 204  -- empty but valid response to avoid ERR_INVALID_RESPONSE