Fix infinite redirects with load balancer TLS termination #78
Conversation
There was a problem hiding this comment.
Pull Request Overview
Fixes infinite redirect loops when running behind a load balancer with TLS termination by detecting protocol mismatches between the configured redirect URI and the incoming request URL, automatically upgrading HTTP redirect URLs to HTTPS when necessary.
- Adds protocol mismatch detection logic to upgrade HTTP redirect URLs to HTTPS when
WORKOS_REDIRECT_URIis configured for HTTPS - Includes comprehensive test coverage for the protocol upgrade behavior
- Preserves existing URL components (port, path, query parameters) while only modifying the protocol
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/authkit-callback-route.ts | Adds protocol mismatch detection and automatic HTTPS upgrade logic |
| src/authkit-callback-route.spec.ts | Adds test coverage for load balancer TLS termination scenarios |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR fixes infinite redirect loops that occur when the AuthKit Remix application runs behind load balancers with TLS termination. The core issue stems from a protocol mismatch: the cookie security settings are determined by the WORKOS_REDIRECT_URI environment variable (HTTPS URLs create secure cookies), but redirect URLs are built from the incoming request URL which becomes HTTP after load balancer processing.
The fix adds protocol detection logic in authkit-callback-route.ts that compares the configured redirect URI protocol against the incoming request protocol. When WORKOS_REDIRECT_URI uses HTTPS but the request is HTTP, the code automatically upgrades the redirect URL to HTTPS. This ensures consistency between cookie security flags and redirect protocols, preventing browsers from rejecting secure cookies on HTTP redirects.
The implementation integrates cleanly with the existing callback route handler, adding just 6 lines of code that parse both URLs and conditionally upgrade the protocol. The change is isolated to the redirect URL construction logic and doesn't affect other authentication flows or session management functionality.
Comprehensive test coverage validates both the basic protocol upgrade scenario and edge cases around port handling, ensuring the fix works correctly while preserving existing behavior for port numbers.
Confidence score: 4/5
- This PR is safe to merge with minimal risk as it addresses a specific deployment scenario without breaking existing functionality
- Score reflects well-tested, focused changes that solve a real production issue with load balancer deployments
- Pay close attention to
src/authkit-callback-route.tsto ensure the protocol upgrade logic integrates properly with existing redirect handling
2 files reviewed, no comments
Fixes #77
Problem
When running behind a load balancer with TLS termination, users experience infinite redirects because:
WORKOS_REDIRECT_URIprotocol (HTTPS = secure cookies)request.urlwhich is HTTP after load balancer processingSolution
Automatically detect protocol mismatch and upgrade redirect URL to HTTPS when
WORKOS_REDIRECT_URIis HTTPS but request is HTTP.This ensures the redirect URL protocol matches the cookie security setting, preventing infinite redirects in load balancer scenarios.