Mixed Content blocked: notifications EventSource uses non-HTTPS internal hostname

[delonsp]

Summary

When the app is served over HTTPS, the notifications panel attempts to open an EventSource against ${config.queueServer}/sse/.... If config.queueServer is configured with a non-HTTPS URL (e.g. an internal Docker service hostname like http://courselit-queue in a Docker-Compose deployment behind a reverse proxy), the browser blocks the request as Mixed Content and notifications never connect.

Where

apps/web/components/notifications-viewer.tsx, lines ~67-69:

const eventSource = new EventSource(
    `${config.queueServer}/sse/${profile.userId}`,
);

Reproduce

1. Deploy CourseLit behind HTTPS (Traefik/Nginx) with QUEUE_SERVER (or equivalent) pointing to an internal HTTP-only hostname.
2. Open any logged-in dashboard page (/dashboard/overview, /dashboard/my-content, etc.).
3. Open DevTools → Console.

Expected

EventSource connects (or, if not configured for public exposure, falls back gracefully without console errors).

Actual

Mixed Content: The page at 'https://example.com/dashboard/overview' was loaded over HTTPS,
but requested an insecure EventSource endpoint 'http://courselit-queue/sse/...'.
This request has been blocked; the content must be served over HTTPS.

Notifications never update in real time; users must reload to see new ones.

Suggested fix

Either:

• Document in deployment guide that queueServer must be a publicly reachable HTTPS URL (and provide a Compose example exposing the queue service via the same reverse proxy), or
• Fall back to a same-origin path (e.g. /api/sse/notifications proxied internally) when queueServer is not an absolute HTTPS URL.

Environment

• CourseLit fork based on upstream main
• Deployment: Docker Compose + Traefik HTTPS
• Browsers: Chrome 134, Firefox 124 (both block per HTML spec)