CTFd doesn't handle URL protocol properly (mixing HTTP with HTTPS)

Environment:

• CTFd Version/Commit: b7a19f7
• Operating System: Alpine 3.9.3
• Running CTFd with tghosth/CTFd-docker-deploy behind a TLS-terminating Nginx.
• Reverse proxy properly returns the host, original IP, and the requested protocol via X-Forwarded-Proto.
• Web Browser and Version: Chrome 73

What happened? While running under HTTPS, several areas in CTFd return and redirect to http:// when they should be https://. I encountered this behaviour in the following areas:

• All redirects caused by accessing an area that requires authentication without being authenticated. (e.g. https://ctfdomain.example/user -> http://ctfdomain.example/login)
• All redirects resulting from actions processed by the server. (e.g. the redirect that happens after importing a backup)
• All redirects performed in a custom plugin I’m writing using Flask Dance (it’s for Okta authentication). I realise this will be difficult to reproduce, so I’m listing here it at last. Hopefully this shares the same root cause as the other two as it’s my biggest pain point.

What did you expect to happen? Everything should be HTTPS.

How to reproduce your issue

A. Backup import:

1. Import a backup.
2. Wait until a redirect to HTTP happens.

I reproduced it on CTFd’s own demo.ctfd.io

B. Auth redirect:

1. curl -I https://ctfdomain.example/user
2. Notice the returned Location: header pointing to http://.

demo.ctfd.io is authed all the time, so I can’t repro there, but this screenshot is from a publicly available CTF found in the first page of Googling for “Powered by CTFd”.