From f6c5d108ad3285dbd901f3c03a95be9ebd706fcf Mon Sep 17 00:00:00 2001
From: Gerhard Scheikl <hatl@hatl.at>
Date: Sat, 9 May 2026 21:19:01 +0200
Subject: [PATCH] fix(thank-you): force https for QR PNG URL behind
 TLS-terminating proxy

---
 .vscode/settings.json                                 | 6 ++++++
 app/routes/api.public.payment-info.tsx                | 8 +++++++-
 extensions/invoice-thank-you-payment/src/Checkout.tsx | 1 +
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 .vscode/settings.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..7551392
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,6 @@
+{
+    "chat.tools.terminal.autoApprove": {
+        "setopt": true,
+        "npx shopify": true
+    }
+}
\ No newline at end of file
diff --git a/app/routes/api.public.payment-info.tsx b/app/routes/api.public.payment-info.tsx
index 9c88543..3b1a51a 100644
--- a/app/routes/api.public.payment-info.tsx
+++ b/app/routes/api.public.payment-info.tsx
@@ -93,7 +93,13 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
 
   const giroCodeUrl = (() => {
     const exp = Math.floor(Date.now() / 1000) + 60 * 60; // 1 hour
-    const origin = new URL(request.url).origin;
+    const reqUrl = new URL(request.url);
+    // Behind a reverse proxy that terminates TLS the inbound URL is http.
+    // Trust X-Forwarded-Proto, otherwise force https for any non-localhost host.
+    const forwardedProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
+    const isLocal = reqUrl.hostname === "localhost" || reqUrl.hostname === "127.0.0.1";
+    const proto = forwardedProto ?? (isLocal ? reqUrl.protocol.replace(":", "") : "https");
+    const origin = `${proto}://${reqUrl.host}`;
     const qs = signGiroCodeUrl({ shop, orderId: numericId, exp });
     return `${origin}/api/public/girocode.png?${qs}`;
   })();
diff --git a/extensions/invoice-thank-you-payment/src/Checkout.tsx b/extensions/invoice-thank-you-payment/src/Checkout.tsx
index 3a6dabc..f14bd20 100644
--- a/extensions/invoice-thank-you-payment/src/Checkout.tsx
+++ b/extensions/invoice-thank-you-payment/src/Checkout.tsx
@@ -102,6 +102,7 @@ function Extension() {
   return (
     <s-section heading={data.heading}>
       <s-paragraph>{data.instructions}</s-paragraph>
+      <s-paragraph>DEBUG QR URL: {data.giroCodeUrl}</s-paragraph>
       <s-stack direction="inline" gap="base" align-items="start">
         <s-image src={data.giroCodeUrl} alt="GiroCode" inline-size="200px" />
         <s-stack direction="block" gap="small-200">