🐛 fix(web-server): use X-Forwarded-Proto header for confirmation link scheme 🚑 (#9026)

Author: giancarloromeo

services/web/server/src/simcore_service_webserver/login/_confirmation_web.py

@@ -2,6 +2,7 @@
 from urllib.parse import quote
 
 from aiohttp import web
+from servicelib.common_headers import X_FORWARDED_PROTO
 from yarl import URL
 
 from simcore_service_webserver.login._application_keys import (
@@ -26,7 +27,10 @@ def _url_for_confirmation(app: web.Application, code: str) -> URL:
 def make_confirmation_link(request: web.Request, code: str) -> str:
     assert code  # nosec
     link = _url_for_confirmation(request.app, code=code)
-    return f"{request.scheme}://{request.host}{link}"
+    # Custom header by traefik. See labels in docker-compose as:
+    # - traefik.http.middlewares.${SWARM_STACK_NAME_NO_HYPHEN}_sslheader.headers.customrequestheaders.X-Forwarded-Proto=http  # noqa: E501
+    scheme = request.headers.get(X_FORWARDED_PROTO, request.scheme)
+    return f"{scheme}://{request.host}{link}"
 
 
 @ensure_single_setup(__name__, logger=_logger)

services/web/server/tests/unit/with_dbs/03/login/test_login_confirmation_service.py

@@ -54,6 +54,16 @@ async def mock_handler(request: web.Request):
     assert confirmation_link.startswith("https://example.com/auth/confirmation/")
     assert confirmation.code in confirmation_link
 
+    # Step 5: Verify X-Forwarded-Proto header is respected
+    request_behind_proxy = make_mocked_request(
+        "GET",
+        "http://example.com/auth/confirmation/{code}",
+        app=app,
+        headers={"Host": "example.com", "X-Forwarded-Proto": "https"},
+    )
+    confirmation_link_via_proxy = _confirmation_web.make_confirmation_link(request_behind_proxy, confirmation.code)
+    assert confirmation_link_via_proxy.startswith("https://example.com/auth/confirmation/")
+
 
 async def test_expired_confirmation_token(
     confirmation_service: ConfirmationService,