Function redirect-uri should use X-Forwarded-* header values to resolve the URI, at least request.getHeader("X-Forwarded-Proto"). Currently, if your application is behind a reverse proxy that handles https and you resolve a relative redirect link, the generated URI will have http:// instead of https://.

Take a look at the wrap-forwarded-scheme function in the Ring-SSL library. Rather than making every middleware check both the :scheme and the X-Forwarded-Proto header, it's less code to normalize the request map first.