From 798c8f1c4134d2e8b5efd590c45d1bcded4cd1a8 Mon Sep 17 00:00:00 2001 From: Jaynel Patiarba Date: Wed, 24 Jun 2026 22:35:34 +0800 Subject: [PATCH] fix(security): restrict OAuth redirect_uri localhost bypass to local mode The OAuth authorize endpoint allowed redirect_uri to any localhost URL regardless of environment. In production (cloud/container deployments), an attacker could set redirect_uri=http://localhost:8080/steal and intercept OAuth authorization codes if they can bind that port on the same host (shared environments, cloud VMs, browser extensions). Gate the localhost exception behind localMode so it only applies during development (bun run dev / --local-mode). Production deployments only allow redirect_uri matching the configured baseUrl origin. Co-Authored-By: Claude Opus 4.6 (1M context) --- apps/mesh/src/api/app.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/apps/mesh/src/api/app.ts b/apps/mesh/src/api/app.ts index 7195c0bcdd..5f3330a4ce 100644 --- a/apps/mesh/src/api/app.ts +++ b/apps/mesh/src/api/app.ts @@ -421,11 +421,13 @@ const oauthProxyHandler: MiddlewareHandler = async (c) => { const redirectUrl = new URL(redirectUri); const allowedOriginObj = new URL(allowedOrigin); - // Check if redirect_uri origin matches the allowed origin + // Check if redirect_uri origin matches the allowed origin. + // Localhost is only allowed in local mode — in production, an attacker + // could set redirect_uri=http://localhost:8080/steal to intercept + // OAuth authorization codes on shared hosts or cloud environments. const isAllowed = redirectUrl.origin === allowedOriginObj.origin || - // Allow localhost for development - redirectUrl.hostname === "localhost"; + (getSettings().localMode && redirectUrl.hostname === "localhost"); if (!isAllowed) { return c.json(