From 1ec8f4009665c343a72faf564301e81388c4f6b4 Mon Sep 17 00:00:00 2001 From: Shreya Keshive Date: Fri, 23 Jan 2026 13:41:37 -0500 Subject: [PATCH] fix(oauth): update oauth to use 127.0.0.1 instead of localhost (#17388) --- packages/core/src/code_assist/oauth2.test.ts | 2 +- packages/core/src/code_assist/oauth2.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/core/src/code_assist/oauth2.test.ts b/packages/core/src/code_assist/oauth2.test.ts index 0da2106db5..c838166cc2 100644 --- a/packages/core/src/code_assist/oauth2.test.ts +++ b/packages/core/src/code_assist/oauth2.test.ts @@ -208,7 +208,7 @@ describe('oauth2', () => { expect(open).toHaveBeenCalledWith(mockAuthUrl); expect(mockGetToken).toHaveBeenCalledWith({ code: mockCode, - redirect_uri: `http://localhost:${capturedPort}/oauth2callback`, + redirect_uri: `http://127.0.0.1:${capturedPort}/oauth2callback`, }); expect(mockSetCredentials).toHaveBeenCalledWith(mockTokens); diff --git a/packages/core/src/code_assist/oauth2.ts b/packages/core/src/code_assist/oauth2.ts index 9b4d2cf079..a2357c9672 100644 --- a/packages/core/src/code_assist/oauth2.ts +++ b/packages/core/src/code_assist/oauth2.ts @@ -459,12 +459,12 @@ async function authWithUserCode(client: OAuth2Client): Promise { async function authWithWeb(client: OAuth2Client): Promise { const port = await getAvailablePort(); // The hostname used for the HTTP server binding (e.g., '0.0.0.0' in Docker). - const host = process.env['OAUTH_CALLBACK_HOST'] || 'localhost'; + const host = process.env['OAUTH_CALLBACK_HOST'] || '127.0.0.1'; // The `redirectUri` sent to Google's authorization server MUST use a loopback IP literal // (i.e., 'localhost' or '127.0.0.1'). This is a strict security policy for credentials of // type 'Desktop app' or 'Web application' (when using loopback flow) to mitigate // authorization code interception attacks. - const redirectUri = `http://localhost:${port}/oauth2callback`; + const redirectUri = `http://127.0.0.1:${port}/oauth2callback`; const state = crypto.randomBytes(32).toString('hex'); const authUrl = client.generateAuthUrl({ redirect_uri: redirectUri, @@ -486,7 +486,7 @@ async function authWithWeb(client: OAuth2Client): Promise { ); } // acquire the code from the querystring, and close the web server. - const qs = new url.URL(req.url!, 'http://localhost:3000').searchParams; + const qs = new url.URL(req.url!, 'http://127.0.0.1:3000').searchParams; if (qs.get('error')) { res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_FAILURE_URL }); res.end();