OAuth flow is going through HTTP along the way

[jfly]

From Chrome dev tools when logging in:

1. The /authorize is the OAuth route on the WCA website. The redirect_uri parameter looks like this: redirect_uri=http%3A%2F%2Ffantasy.cubing.net%2Flogin. Note the http, not https.
2. The first /login? is a HTTP url on fantasy.cubing.net.
3. The second /login? is a HTTPS url on fantasy.cubing.net.

Fixing 1) should be some reconfiguration of HAPI's auth flow: https://github.com/coder13/fantasycubing/blob/a949667a6413d995eacf5c0fe6c2a611887197aa/server/auth/index.js#L12-L32. I don't know where the redirect uri is configured. However, fixing that won't be enough, you'll also need to configure the WCA website to allow redirects to the HTTPS url, right now I see over on https://www.worldcubeassociation.org/oauth/applications/13/edit that only http://fantasy.cubing.net/login is listed as a redirect uri, not https://fantasy.cubing.net/login.

[jfly]

I don't know where the redirect uri is configured.

Ok, after digging into HAPI internals, here's what I've found:

• The redirect_uri is generated here (I'm pretty sure we're using the v2 version of the library, don't be confused by all the v1 stuff in this file).
• protocol on the line above comes from this call to internals.getProtocol.
• internals.getProtocol is defined here. Are you running HAPI behind nginx or something? (I suspect that settings.location is actually a http url). One solution would be to set settings.forceHttps to true.

Another solution might be to set settings.location to something, which would short-circuit the internals.location method here (called from here).

[jfly]

Bump! Was just looking at all the WCA OAuth applications and was reminded of this.