when ENVIRONMENT=development is set, the server does not work on https

[ylebre]

There is an issue with the following bit of code:

/*/ Make sure HTTPS is always used in production /*/
$scheme = 'http';
if (getenv('ENVIRONMENT') !== 'development') {
    $router->map('GET', '/{page:(?:.|/)*}', HttpToHttpsController::class)->setScheme($scheme);
    $scheme = 'https';
}

I would expect https to work as well with the development environment, but because all the routes are tied to $scheme, they are only available on http.

[Potherca]

That code was originally created to enable development before a (Docker) HTTPS server was available as the internal PHP HTTP server does (explicitly) not support HTTPS.

It might be more sensible to change the getenv('ENVIRONMENT') check to something in the direction of "unsafe" rather than forcing all development environments to be unsafe...

[ylebre]

Maybe we can just check for env http or https to make it explicit? and even add routes for both schemes.

[Potherca]

Strictly speaking, there shouldn't be any HTTP at all. It should just always redirect to HTTPS.

At this point, I'm inclined to just remove the HTTP code entirely...

[ylebre]

I agree, having a secure default is the better option here, so we could just remove the http scheme completely. If someone really needs http:// it should be easy enough to modify that in the code.

[Potherca]

We had a discussion offline, the current conclusion is as follows:

1. Instead of using ->setScheme($scheme) for evey route or route-group, we remove them everywhere. This makes the routes scheme-agnostic.
2. We add a check that forces the use of HTTPS (via a redirect on non-https). This check can be enabled (or disabled) through a config/env var.

This means that unsafe (i.e. HTTP) URLs are supported, in case HTTPS is provided through a server-side proxy.

The question that remains is whether it makes more sense to have the HTTPS check on or off.

Thoughts? @ylebre / @poef / @michielbdejong