Fix OAuth strategy registration and trust proxy for reverse-proxy deploys (#1)

unifiedjd · claude · web-flow · commit db65f1cd9eba · 2026-04-18T19:48:51.000-04:00
Register Passport strategies under their provider name so passport.authenticate('azure'|'google'|'okta'|'auth0'|'custom') resolves correctly; previously the OAuth2Strategy registered under its default name 'oauth2', causing "Unknown authentication strategy" 500s at /auth/login.

Also honor the EXPRESS_TRUST_PROXY env var so Azure Container Apps (and other reverse proxies) don't trigger express-rate-limit X-Forwarded-For validation errors.

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/servers/index.ts b/src/servers/index.ts
@@ -394,6 +394,15 @@ if (TRANSPORT === 'stdio') {
   // Disable X-Powered-By header for security
   app.disable('x-powered-by');
 
+  // Trust reverse proxy (Azure Container Apps, Cloudflare, etc.) so that
+  // req.ip and X-Forwarded-For are honored correctly by express-rate-limit.
+  // Set EXPRESS_TRUST_PROXY to a number of hops, a CIDR, "true", or leave unset.
+  const trustProxy = process.env.EXPRESS_TRUST_PROXY;
+  if (trustProxy) {
+    const numeric = Number(trustProxy);
+    app.set('trust proxy', Number.isFinite(numeric) ? numeric : trustProxy === 'true' ? true : trustProxy);
+  }
+
   // Request/Response logging middleware
   app.use((req: Request, res: Response, next: NextFunction) => {
     const startTime = Date.now();
@@ -958,11 +967,11 @@ if (TRANSPORT === 'stdio') {
   // OAuth routes (if configured)
   if (oauthConfig) {
     const scopeArray = oauthConfig.scope ? oauthConfig.scope.split(',') : undefined;
-    app.get('/auth/login', loginLimiter, passport.authenticate(oauthConfig.provider === 'custom' ? 'oauth2' : oauthConfig.provider, { scope: scopeArray }));
+    app.get('/auth/login', loginLimiter, passport.authenticate(oauthConfig.provider, { scope: scopeArray }));
 
     app.get(
       '/auth/callback',
-      passport.authenticate(oauthConfig.provider === 'custom' ? 'oauth2' : oauthConfig.provider, { failureRedirect: '/' }),
+      passport.authenticate(oauthConfig.provider, { failureRedirect: '/' }),
       (req: Request, res: Response) => {
         if (req.user && req.session) {
           const user = req.user as OAuthUser;
diff --git a/src/utils/core/oauth-strategy.ts b/src/utils/core/oauth-strategy.ts
@@ -30,7 +30,7 @@ export interface OAuthUser {
  */
 export function configureOAuthStrategy(config: OAuthConfig): void {
   const strategy = createStrategy(config);
-  passport.use(strategy);
+  passport.use(config.provider, strategy);
 
   // Serialize user for session storage
   passport.serializeUser((user: any, done) => {
