Merge pull request #3 from zoonru/fix-multiple-x_forwarded_proto

fix multiple x_forwarded_proto

src/HttpClient/Util.php

@@ -89,12 +89,22 @@ public static function getCurrentUrl($requestUri = false)
         $protocol = 'http://';
 
         if (($collection->get('HTTPS') && $collection->get('HTTPS') !== 'off') ||
-            $collection->get('HTTP_X_FORWARDED_PROTO') === 'https') {
+            self::isXForwardedProtoHttps($collection->get('HTTP_X_FORWARDED_PROTO'))) {
             $protocol = 'https://';
         }
 
         return $protocol .
             $collection->get('HTTP_HOST') .
             $collection->get($requestUri ? 'REQUEST_URI' : 'PHP_SELF');
     }
+
+    public static function isXForwardedProtoHttps($xForwardedProto)
+    {
+        $protos = explode(',', (string)$xForwardedProto);
+        if (count($protos) > 0) {
+            return trim($protos[0]) === 'https';
+        }
+
+        return false;
+    }
 }

src/Thirdparty/OpenID/LightOpenID.php

@@ -11,6 +11,7 @@
 
 use Hybridauth\Exception\Exception;
 use Hybridauth\Exception\ExceptionInterface;
+use Hybridauth\HttpClient\Util;
 
 /**
  * Class ErrorException
@@ -255,7 +256,7 @@ protected function get_realm_protocol()
         if (!empty($_SERVER['HTTPS'])) {
             $use_secure_protocol = ($_SERVER['HTTPS'] !== 'off');
         } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
-            $use_secure_protocol = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https');
+            $use_secure_protocol = (Util::isXForwardedProtoHttps($_SERVER['HTTP_X_FORWARDED_PROTO']));
         } elseif (isset($_SERVER['HTTP__WSSC'])) {
             $use_secure_protocol = ($_SERVER['HTTP__WSSC'] == 'https');
         } else {