fix(oidc): look at protocol to decide callback protocol

server/routes/auth.ts

@@ -434,7 +434,7 @@ authRoutes.get('/oidc-callback', async (req, res, next) => {
     return res.status(500).json({ error: 'OIDC sign-in is disabled.' });
   }
   const cookieState = req.cookies['oidc-state'];
-  const url = new URL(req.url, `http://${req.hostname}`);
+  const url = new URL(req.url, `${req.protocol}://${req.hostname}`);
   const state = url.searchParams.get('state');
 
   try {

server/utils/oidc.ts

@@ -26,7 +26,7 @@ export async function getOIDCRedirectUrl(req: Request, state: string) {
 
   const callbackUrl = new URL(
     '/api/v1/auth/oidc-callback',
-    `http://${req.headers.host}`
+    `${req.protocol}://${req.headers.host}`
   ).toString();
   url.searchParams.set('redirect_uri', callbackUrl);
   url.searchParams.set('scope', 'openid profile email');