From 6ea4d96830ec738898e487edfa8ace3f3a8c0976 Mon Sep 17 00:00:00 2001
From: Matteo Pagliazzi <matteopagliazzi@gmail.com>
Date: Wed, 23 Jan 2019 17:19:57 +0100
Subject: [PATCH] add extra condition to skip ssl check

---
 test/api/unit/middlewares/redirects.js  | 17 +++++++++++++++++
 website/server/middlewares/redirects.js |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/test/api/unit/middlewares/redirects.js b/test/api/unit/middlewares/redirects.js
index 17f58d15da..fdbff0d879 100644
--- a/test/api/unit/middlewares/redirects.js
+++ b/test/api/unit/middlewares/redirects.js
@@ -106,6 +106,23 @@ describe('redirects middleware', () => {
       expect(res.redirect).to.be.calledOnce;
       expect(res.redirect).to.be.calledWith('https://habitica.com/static/front?skipSSLCheck=INVALID');
     });
+
+    it('does redirect if skip ssl check key is not set', () => {
+      let nconfStub = sandbox.stub(nconf, 'get');
+      nconfStub.withArgs('BASE_URL').returns('https://habitica.com');
+      nconfStub.withArgs('IS_PROD').returns(true);
+      nconfStub.withArgs('SKIP_SSL_CHECK_KEY').returns(null);
+
+      req.header = sandbox.stub().withArgs('x-forwarded-proto').returns('http');
+      req.originalUrl = '/static/front';
+      req.query.skipSSLCheck = 'INVALID';
+
+      const attachRedirects = requireAgain(pathToRedirectsMiddleware);
+      attachRedirects.forceSSL(req, res, next);
+
+      expect(res.redirect).to.be.calledOnce;
+      expect(res.redirect).to.be.calledWith('https://habitica.com/static/front');
+    });
   });
 
   context('forceHabitica', () => {
diff --git a/website/server/middlewares/redirects.js b/website/server/middlewares/redirects.js
index b7de10f80c..587474378e 100644
--- a/website/server/middlewares/redirects.js
+++ b/website/server/middlewares/redirects.js
@@ -21,7 +21,7 @@ function isHTTP (req) {
 
 export function forceSSL (req, res, next) {
   const skipSSLCheck = req.query.skipSSLCheck;
-  if (isHTTP(req) && (!skipSSLCheck || skipSSLCheck !== SKIP_SSL_CHECK_KEY)) {
+  if (isHTTP(req) && (!SKIP_SSL_CHECK_KEY || !skipSSLCheck || skipSSLCheck !== SKIP_SSL_CHECK_KEY)) {
     return res.redirect(BASE_URL + req.originalUrl);
   }