Fix security issue when running on Glitch

[edwardhorsford]

The Prototype kit mostly works fine when running on glitch, but has an issue.

When you run the prototype, no username and password is required.

The kit is meant to require a username and password when run online, so that people don't accidentally come across the prototypes.

Glitch doesn't set NODE_ENV, so the kit incorrectly thinks it's running in a local environment. This pr checks an env var glitch uses, and if so, sets env to production.

This exposes a second bug - that the kit tries to apply https, but gets caught in a redirection loop because glitch sends a comma separated list for X-Forwarded-Proto. The accepted fix seems to be to split on , and use the first part (which would have no effect for most values of X-Forwarded-Proto).

---

I've tested this locally and on heroku and on glitch. It should cause no change locally or on heroku, but now correctly require username and password on glitch (and not crash if you set env to production).

If GDS doesn't want to 'officially' support glitch, I'd still suggest applying this pr - as it fixes the current security issue that Glitch prototypes incorrectly don't require a username and password.

I've avoided updating the docs about setting username and password on the assumption 'full' glitch support isn't yet wanted. But if wanted, I could add a single line - which would basically say to set username and password in .env.

[36degrees]

Looks good to me, thanks Ed.

Would you be able to add an entry to the changelog, please?

[edwardhorsford]

Looks good to me, thanks Ed.

Would you be able to add an entry to the changelog, please?

Sorry missed this. Done now.

[36degrees]

Thanks for doing that, @edwardhorsford 👍

This just needs a second review from @hannalaakso and then we can get this merged.

[hannalaakso]

@edwardhorsford Looks great, thanks for your work on this 🙌