LinumIQ/linumiq-invoice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(thank-you): force https for QR PNG URL behind TLS-terminating proxy

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-09 21:19:01 +02:00
parent 3fb8600402
commit f6c5d108ad
3 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/routes/api.public.payment-info.tsx
+7 -1
View File
@@ -93,7 +93,13 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
const giroCodeUrl = (() => {
const exp = Math.floor(Date.now() / 1000) + 60 * 60; // 1 hour
const origin = new URL(request.url).origin;
const reqUrl = new URL(request.url);
// Behind a reverse proxy that terminates TLS the inbound URL is http.
// Trust X-Forwarded-Proto, otherwise force https for any non-localhost host.
const forwardedProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
const isLocal = reqUrl.hostname === "localhost" || reqUrl.hostname === "127.0.0.1";
const proto = forwardedProto ?? (isLocal ? reqUrl.protocol.replace(":", "") : "https");
const origin = `${proto}://${reqUrl.host}`;
const qs = signGiroCodeUrl({ shop, orderId: numericId, exp });
return `${origin}/api/public/girocode.png?${qs}`;
})();