Merge pull request #4 from JuliusPC/JuliusPC/configure-https-upgrade

add get/setHttpUpgradeInsecureRequests(), fixes jumbojett#174
JuliusPC · Apr 18, 2021 · e4e549a · e4e549a
2 parents 79daf3b + 698bc59
commit e4e549a
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## master
+
+### Added
+* it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)`
+
 ## [0.9.2]
 
 ### Added

diff --git a/README.md b/README.md
@@ -153,10 +153,16 @@ $oidc->setVerifyHost(false);
 $oidc->setVerifyPeer(false);
 ```
 
+Also, your local system might not support HTTPS, so you might disable uprading to it:
+
+```php
+$oidc->httpUpgradeInsecureRequests(false);
+```
+
 ### Todo ###
 - Dynamic registration does not support registration auth tokens and endpoints
 
   [1]: http://openid.net/specs/openid-connect-basic-1_0-15.html#id_res
 
 ## Contributing ###
- - All pull requests, once merged, should be added to the changelog.md file.
+ - All pull requests, once merged, should be added to the CHANGELOG.md file.
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -230,6 +230,11 @@ class OpenIDConnectClient
      */
     protected $encType = PHP_QUERY_RFC1738;
 
+    /**
+     * @var bool Enable or disable upgrading to HTTPS by paying attention to HTTP header HTTP_UPGRADE_INSECURE_REQUESTS
+     */
+    protected $httpUpgradeInsecureRequests = true;
+
     /**
      * @var string holds code challenge method for PKCE mode
      * @see https://tools.ietf.org/html/rfc7636
@@ -588,7 +593,7 @@ public function getRedirectURL() {
          * Support of 'ProxyReverse' configurations.
          */
 
-        if (isset($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']) && ($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] === '1')) {
+        if ($this->httpUpgradeInsecureRequests && isset($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']) && ($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] === '1')) {
             $protocol = 'https';
         } else {
             $protocol = @$_SERVER['HTTP_X_FORWARDED_PROTO']
@@ -1292,6 +1297,16 @@ public function setVerifyHost($verifyHost) {
         $this->verifyHost = $verifyHost;
     }
 
+
+    /**
+     * Controls whether http header HTTP_UPGRADE_INSECURE_REQUESTS should be considered
+     * defaults to true
+     * @param bool $httpUpgradeInsecureRequests
+     */
+    public function setHttpUpgradeInsecureRequests($httpUpgradeInsecureRequests) {
+        $this->httpUpgradeInsecureRequests = $httpUpgradeInsecureRequests;
+    }
+
     /**
      * @return bool
      */
@@ -1306,6 +1321,14 @@ public function getVerifyPeer() {
         return $this->verifyPeer;
     }
 
+    /**
+     * @return bool 
+     */
+    public function getHttpUpgradeInsecureRequests()
+    {
+        return $this->httpUpgradeInsecureRequests;
+    }
+
     /**
      * Use this for custom issuer validation
      * The given function should accept the issuer string from the JWT claim as the only argument