Made HTTPS detection a bit better.

[Frzk]

Introduced a new private method isHttps that checks if the request was sent over HTTPS or not.
To do so, it checks if one of the following is true:

• URI scheme is 'https',
• a 'X-Forwarded-Proto' header is present and its value is 'https' (useful when running behind a load balancer).

[alokdhir]

Please merge. This is crucial for our env; otherwise we will have to deploy all our code with secure->false.

[tuupola]

@alokdhir technically there is almost no difference. The deployment is still unsecure if it trusts an user settable X-Forwarded-Proto header. Request itself still is not https.

@Frzk Sorry did not notice this earlier. Trusting headers should not be enabled by default. There was a similar PR for slim-basic-auth. Configuration should be same as this, ie adding headersto the relaxed setting.

$app->add(new Tuupola\Middleware\JwtAuthentication([
    "path" => "/admin",
    "secure" => true,
    "relaxed" => ["localhost", "headers"],
]));

[Frzk]

@tuupola : I guess it makes sense :-)

Maybe we could figure out a better way to handle these edge cases with support for X-Forwarded-* headers, but also for RFC 7239 (Forwarded header) in a dedicated option ?

I was thinking about something like:

$app->add(new Tuupola\Middleware\JwtAuthentication([
    "path" => "/admin",
    "secure" => true,
    "trustedProxies" => [
        "proxies": [192.0.2.1, 192.0.2.16],
        "headers": ["X-Forwarded-Proto", "Forwarded"]
    ],
]));

[kgrosvenor]

Has anyone tried this with jwilder/nginx-proxy? Using the secure option doesnt work for me, then again i am forcing https anyway so is there any point in me bothering @tuupola? Thanks