From 7832cf30f131274f4cb8c3070e7ddcc5520d239f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20KUBLER?= <francois+github@kubler.org>
Date: Sat, 30 Mar 2019 12:01:18 +0100
Subject: [PATCH 1/2] Made HTTPS detection a bit better.

Introduced a new private method `isHttps` that checks if the request was sent over HTTPS or not.
To do so, it checks if one of the following is true:
  - URI scheme is 'https',
  - a 'X-Forwarded-Proto' header is present and its value is 'https' (useful when running behind a load balancer).
---
 src/JwtAuthentication.php | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/JwtAuthentication.php b/src/JwtAuthentication.php
index 2d760dc..357f05f 100644
--- a/src/JwtAuthentication.php
+++ b/src/JwtAuthentication.php
@@ -124,7 +124,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         }
 
         /* HTTP allowed only if secure is false or server is in relaxed array. */
-        if ("https" !== $scheme && true === $this->options["secure"]) {
+        if (false === $this->isHttps($request) && true === $this->options["secure"]) {
             if (!in_array($host, $this->options["relaxed"])) {
                 $message = sprintf(
                     "Insecure use of middleware over %s denied by configuration.",
@@ -278,6 +278,26 @@ private function decodeToken(string $token): array
         }
     }
 
+    /**
+     * Checks if the request was sent over HTTPS.
+     *
+     * This is done by checking if either the URL scheme or a
+     * 'X-Forwarded-Proto' header is equal to 'https' (the latter is useful
+     * when running behind a load balancer).
+     */
+    private function isHttps(ServerRequestInterface $request): bool
+    {
+        $scheme = $request->getUri()->getScheme();
+        $x_fwd_proto_headers = $request->getHeader('X-Forwarded-Proto');
+
+        $sanitized = array_map('trim', array_map('strtolower', $x_fwd_proto_headers));
+
+        return (
+            'https' === $scheme
+            || in_array('https', $sanitized, true)
+        );
+    }
+
     /**
      * Hydrate options from given array.
      */

From 4bcc69de4dfbbe5daf5239d68ea12d9db71aa9b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20KUBLER?= <francois+github@kubler.org>
Date: Sat, 30 Mar 2019 12:25:48 +0100
Subject: [PATCH 2/2] Fixed a typo (non breaking space).

This made the tests in Travis-CI fail.
---
 src/JwtAuthentication.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/JwtAuthentication.php b/src/JwtAuthentication.php
index 357f05f..155627d 100644
--- a/src/JwtAuthentication.php
+++ b/src/JwtAuthentication.php
@@ -294,7 +294,7 @@ private function isHttps(ServerRequestInterface $request): bool
 
         return (
             'https' === $scheme
-            || in_array('https', $sanitized, true)
+            || in_array('https', $sanitized, true)
         );
     }