Fix infinite redirects with load balancer TLS termination #39
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR fixes infinite redirect loops that occur when running behind a load balancer with TLS termination. The issue arises from a protocol mismatch between secure cookie requirements and redirect URLs.
- Adds automatic protocol detection and upgrade for redirect URLs
- Ensures redirect URL protocol matches cookie security settings
- Includes comprehensive test coverage for load balancer scenarios
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/authkit-callback-route.ts | Adds protocol mismatch detection and HTTPS upgrade logic for redirect URLs |
| src/authkit-callback-route.spec.ts | Adds test cases for load balancer TLS termination scenarios and port preservation |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR fixes a critical issue with infinite redirect loops that occur when running AuthKit behind load balancers with TLS termination. The problem stems from a protocol mismatch: load balancers terminate HTTPS and forward HTTP requests to the application, but WORKOS_REDIRECT_URI is configured as HTTPS for production. This creates a scenario where cookies are marked as secure (based on the HTTPS config) but the redirect URL uses HTTP (from the processed request), causing browsers to reject the secure cookies and triggering infinite authentication loops.
The solution adds automatic protocol mismatch detection in the authLoader function within src/authkit-callback-route.ts. When the configured WORKOS_REDIRECT_URI uses HTTPS but the incoming request is HTTP, the code automatically upgrades the redirect URL protocol to HTTPS. This ensures consistency between cookie security settings and redirect URL protocols.
The implementation is minimal and targeted - it checks if the configured redirect URI uses HTTPS while the request URL uses HTTP, then upgrades the protocol accordingly. The fix integrates seamlessly with the existing authentication flow without disrupting normal operations or adding unnecessary complexity.
Comprehensive test coverage has been added to verify the fix works correctly, including edge cases like port preservation during protocol upgrades. The tests properly isolate environment variables and document the expected behavior in load balancer scenarios.
Confidence score: 4/5
- This PR addresses a specific production issue with a clean, minimal fix that's unlikely to cause unintended side effects
- Score reflects solid implementation with good test coverage, but load balancer scenarios can be complex and may have edge cases not fully covered
- Pay close attention to
src/authkit-callback-route.tsto ensure the protocol detection logic handles all deployment scenarios correctly
2 files reviewed, no comments
Problem
When running behind a load balancer with TLS termination, users experience infinite redirects because:
WORKOS_REDIRECT_URIprotocol (HTTPS = secure cookies)request.urlwhich is HTTP after load balancer processingSolution
Automatically detect protocol mismatch and upgrade redirect URL to HTTPS when
WORKOS_REDIRECT_URIis HTTPS but request is HTTP.This ensures the redirect URL protocol matches the cookie security setting, preventing infinite redirects in load balancer scenarios.