MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-05-12 12:54:07 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(oauth): update oauth to use 127.0.0.1 instead of localhost (#17388)

Browse Source
This commit is contained in:
Shreya Keshive
2026-01-23 13:41:37 -05:00
committed by GitHub
parent dabb9ad8f6
commit 1ec8f40096
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/src/code_assist/oauth2.test.ts
+1 -1
View File
@@ -208,7 +208,7 @@ describe('oauth2', () => {
expect(open).toHaveBeenCalledWith(mockAuthUrl); expect(open).toHaveBeenCalledWith(mockAuthUrl);
expect(mockGetToken).toHaveBeenCalledWith({ expect(mockGetToken).toHaveBeenCalledWith({
code: mockCode, code: mockCode,
redirect_uri: `http://localhost:${capturedPort}/oauth2callback`, redirect_uri: `http://127.0.0.1:${capturedPort}/oauth2callback`,
}); });
expect(mockSetCredentials).toHaveBeenCalledWith(mockTokens); expect(mockSetCredentials).toHaveBeenCalledWith(mockTokens);
packages/core/src/code_assist/oauth2.ts
+3 -3
View File
@@ -459,12 +459,12 @@ async function authWithUserCode(client: OAuth2Client): Promise<boolean> {
async function authWithWeb(client: OAuth2Client): Promise<OauthWebLogin> { async function authWithWeb(client: OAuth2Client): Promise<OauthWebLogin> {
const port = await getAvailablePort(); const port = await getAvailablePort();
// The hostname used for the HTTP server binding (e.g., '0.0.0.0' in Docker). // The hostname used for the HTTP server binding (e.g., '0.0.0.0' in Docker).
const host = process.env['OAUTH_CALLBACK_HOST'] || 'localhost'; const host = process.env['OAUTH_CALLBACK_HOST'] || '127.0.0.1';
// The `redirectUri` sent to Google's authorization server MUST use a loopback IP literal // The `redirectUri` sent to Google's authorization server MUST use a loopback IP literal
// (i.e., 'localhost' or '127.0.0.1'). This is a strict security policy for credentials of // (i.e., 'localhost' or '127.0.0.1'). This is a strict security policy for credentials of
// type 'Desktop app' or 'Web application' (when using loopback flow) to mitigate // type 'Desktop app' or 'Web application' (when using loopback flow) to mitigate
// authorization code interception attacks. // authorization code interception attacks.
const redirectUri = `http://localhost:${port}/oauth2callback`; const redirectUri = `http://127.0.0.1:${port}/oauth2callback`;
const state = crypto.randomBytes(32).toString('hex'); const state = crypto.randomBytes(32).toString('hex');
const authUrl = client.generateAuthUrl({ const authUrl = client.generateAuthUrl({
redirect_uri: redirectUri, redirect_uri: redirectUri,
@@ -486,7 +486,7 @@ async function authWithWeb(client: OAuth2Client): Promise<OauthWebLogin> {
); );
} }
// acquire the code from the querystring, and close the web server. // acquire the code from the querystring, and close the web server.
const qs = new url.URL(req.url!, 'http://localhost:3000').searchParams; const qs = new url.URL(req.url!, 'http://127.0.0.1:3000').searchParams;
if (qs.get('error')) { if (qs.get('error')) {
res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_FAILURE_URL }); res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_FAILURE_URL });
res.end(); res.end();