fix(thank-you): force https for QR PNG URL behind TLS-terminating proxy

.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+    "chat.tools.terminal.autoApprove": {
+        "setopt": true,
+        "npx shopify": true
+    }
+}

app/routes/api.public.payment-info.tsx

@@ -93,7 +93,13 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
 
   const giroCodeUrl = (() => {
     const exp = Math.floor(Date.now() / 1000) + 60 * 60; // 1 hour
-    const origin = new URL(request.url).origin;
+    const reqUrl = new URL(request.url);
+    // Behind a reverse proxy that terminates TLS the inbound URL is http.
+    // Trust X-Forwarded-Proto, otherwise force https for any non-localhost host.
+    const forwardedProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
+    const isLocal = reqUrl.hostname === "localhost" || reqUrl.hostname === "127.0.0.1";
+    const proto = forwardedProto ?? (isLocal ? reqUrl.protocol.replace(":", "") : "https");
+    const origin = `${proto}://${reqUrl.host}`;
     const qs = signGiroCodeUrl({ shop, orderId: numericId, exp });
     return `${origin}/api/public/girocode.png?${qs}`;
   })();

extensions/invoice-thank-you-payment/src/Checkout.tsx

@@ -102,6 +102,7 @@ function Extension() {
   return (
     <s-section heading={data.heading}>
       <s-paragraph>{data.instructions}</s-paragraph>
+      <s-paragraph>DEBUG QR URL: {data.giroCodeUrl}</s-paragraph>
       <s-stack direction="inline" gap="base" align-items="start">
         <s-image src={data.giroCodeUrl} alt="GiroCode" inline-size="200px" />
         <s-stack direction="block" gap="small-200">