From 3894f410d2cf43bec23f266a3021c35aa5bb4e38 Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Fri, 23 Dec 2022 20:50:12 -0800
Subject: [PATCH] Enforce https before indieauth parsing. For #2492

---
 auth/indieauth/helpers.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/auth/indieauth/helpers.go b/auth/indieauth/helpers.go
index f777c8754..159c30a33 100644
--- a/auth/indieauth/helpers.go
+++ b/auth/indieauth/helpers.go
@@ -74,6 +74,10 @@ func getAuthEndpointFromURL(urlstring string) (*url.URL, error) {
 		return nil, errors.Wrap(err, "unable to parse URL")
 	}
 
+	if htmlDocScrapeURL.Scheme != "https" {
+		return nil, fmt.Errorf("url must be https")
+	}
+
 	r, err := http.Get(htmlDocScrapeURL.String()) // nolint:gosec
 	if err != nil {
 		return nil, err