Bug: forceHTTPS method ignores baseURL configuration when redirecting

[jlamim]

Describe the bug
When doing a redirect using $this->forceHTTPS(), the URL to which the redirection is made does not match the URL of the application.

URL accessed: http://codigos-livroci4.lsd/blog_ci4/public/blog/https

Redirect URL: https://codigos-livroci4.lsd/blog/https

You should redirect to: https://codigos-livroci4.lsd/blog_ci4/public/blog/https

baseURL configured: http://codigos-livroci4.lsd/blog_ci4/public

CodeIgniter 4 version
4.0.2

Affected module(s)
Controller

Expected behavior, and steps to reproduce if appropriate
You should redirect to https://codigos-livroci4.lsd/blog_ci4/public/blog/https

Context

• OS: Windows 10
• Apache 2.4.41
• PHP 7.4.0

[michalsn]

Right now URI class has no knowledge about a folder in which the application works. I would expect to have this information available via getPath(), but we actually override this value because we rely on it heavily to rewrite segments and load controller from the appropriate namespace.

The quick fix would be to use baseURL as a hostname but I'm not sure about it... sounds really wrong since it would return an unexpected result for getHost() method when running application in a subfolder.

We could also have something like $uri->getFolder()? Idk... looking for other ideas.

[MGatner]

The url_helper is loaded universally and has some functions for helping identify these segments just for this reason. Totally okay to call functions from url_helper in core classes.

[michalsn]

I'm not sure how url_helper can be helpful here. Can you elaborate?
I can also be missing something really simple/obvious here.

[MGatner]

Well I haven't actually looked into the code behind this issue at all, so it might not be relevant, but it sounds like you need either a modified version of current_url() or some parameter-ized version of base_url(), right?

[michalsn]

Sadly no. We're working with the URI class here. It's a whole different problem: https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Common.php#L392

[MGatner]

It does use URI but there's really not a compelling reason for that. Ultimately all it does is construct a string to pass to Response::redirect(): https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Common.php#L419

current_url() actually already does a lot of the same work and takes into account the baseURL: https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Helpers/url_helper.php#L168

I think we could either ditch using URI altogether and do a secure protocol replacement on current_url() or borrow the method used by current_url() to include the configured base. I think I'd rather see that than forcing URI to be aware of site configuration.

[MGatner]

Looking a bit more, getScheme and setScheme are just setting/returning a class property so it seems pretty silly to bother with that when you could just specify 'https'

[michalsn]

Yes, you're right. That makes a lot of sense. Thanks.

[jlamim]

In the same way as the redirection problem with forceHTTPS(), I encountered a similar problem with route redirection.

When calling $routes->addRedirect('author/about', 'authors/profile'); he should redirect to authors/profile respecting the baseURL, which would be http://codigos-livroci4.lsd/blog_ci4/public/authors/profile, but it redirects to http://codigos-Livoci4.lsd/authors/profile.

It seems to me that we have consistent problems with regard to redirects, and it is not just in the case of HTTPS.

[michalsn]

@jlamim I couldn't reproduce the error with addRedirect and I'm running my test application in a subfolder just like you. Is there any chance you forgot to configure baseURL in a config?

[jlamim]

Sorry, I ended up making a modification to the baseURL in previous tests and forgot to go back to the correct configuration, that's why the error with addRedirect.

Thanks @michalsn for reminding me of this detail!