From 82e6a03bb950a3d6c70e2d784fda8b2b54a9a744 Mon Sep 17 00:00:00 2001
From: Thomas Reitz <T.Reitz@xinion.de>
Date: Thu, 12 Mar 2026 23:26:10 +0100
Subject: [PATCH] =?UTF-8?q?fix(ms365):=20HTTPS-Protokoll=20f=C3=BCr=20Inte?=
 =?UTF-8?q?gration-Redirect-URI=20erzwingen?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Traefik leitet x-forwarded-proto nicht korrekt weiter, sodass der
Controller http:// statt https:// generierte — Azure lehnt nicht-HTTPS
Redirect-URIs für nicht-localhost ab (AADSTS50011).

Protokoll wird jetzt aus der konfigurierten SSO-Redirect-URI abgeleitet
(immer HTTPS), der Host bleibt dynamisch (IP oder DNS).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../src/core/integrations/integrations.controller.ts  | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/packages/core-service/src/core/integrations/integrations.controller.ts b/packages/core-service/src/core/integrations/integrations.controller.ts
index c4c0067..12adfc7 100644
--- a/packages/core-service/src/core/integrations/integrations.controller.ts
+++ b/packages/core-service/src/core/integrations/integrations.controller.ts
@@ -65,9 +65,16 @@ export class IntegrationsController {
     @Req() req: Request,
   ): Promise<{ success: boolean; data: { url: string } }> {
     // Redirect-URI dynamisch aus dem Anfrage-Host ableiten
-    // Unterstuetzt sowohl IP als auch DNS-Name (z.B. insight.xinion.lan)
+    // Protokoll: aus der konfigurierten SSO-URI (HTTPS) — Azure akzeptiert nur HTTPS
+    // fuer nicht-localhost URIs. x-forwarded-proto koennte http sein (Traefik-intern).
     const host = (req.get('x-forwarded-host') || req.get('host') || '').split(',')[0].trim();
-    const proto = req.get('x-forwarded-proto') || req.protocol || 'http';
+    const configuredUri = this.entraIdService.getIntegrationRedirectUri();
+    let proto = 'https';
+    try {
+      proto = new URL(configuredUri).protocol.replace(':', '');
+    } catch {
+      proto = req.get('x-forwarded-proto') || 'https';
+    }
     const redirectUri = host
       ? `${proto}://${host}/api/v1/auth/integrations/microsoft-365/callback`
       : undefined;