test: bind ExpressJS servers to localhost (#1845)

Prevents these test services being exposed to external network requests.

Author: alxndrsn

test/e2e/oidc/fake-oidc-server/index.mjs

@@ -106,9 +106,9 @@ const oidc = new Provider(rootUrl, {
     const key  = fs.readFileSync('../certs/fake-oidc-server.example.net-key.pem', 'utf8'); // eslint-disable-line no-multi-spaces
     const cert = fs.readFileSync('../certs/fake-oidc-server.example.net.pem', 'utf8');
     const httpsServer = https.createServer({ key, cert }, oidc.callback());
-    await httpsServer.listen(port);
+    await httpsServer.listen(port, '127.0.0.1');
   } else {
-    await oidc.listen(port);
+    await oidc.listen(port, '127.0.0.1');
   }
   log(`oidc-provider listening on port ${port}, check ${rootUrl}/.well-known/openid-configuration`);
 })();

test/e2e/oidc/playwright-tests/src/global-setup-teardown.js

@@ -34,14 +34,14 @@ async function startFakeFrontend() {
   fakeFrontend.get('*',    successHandler); // eslint-disable-line no-use-before-define
 
   if (frontendUrl.startsWith('http://')) {
-    return fakeFrontend.listen(port);
+    return fakeFrontend.listen(port, '127.0.0.1');
   } else {
     const fs = require('node:fs');
     const https = require('node:https');
     const key  = fs.readFileSync('../certs/odk-central.example.org-key.pem', 'utf8');
     const cert = fs.readFileSync('../certs/odk-central.example.org.pem', 'utf8');
     const httpsServer = https.createServer({ key, cert }, fakeFrontend);
-    await httpsServer.listen(port);
+    await httpsServer.listen(port, '127.0.0.1');
     return httpsServer;
   }
 }

test/integration/external/sentry.js

@@ -79,7 +79,7 @@ describe('sentry', () => {
         res.send({ id: uuid().replace(/-/g, '') });
       });
 
-      const _server = app.listen(0, () => {
+      const _server = app.listen(0, '127.0.0.1', () => {
         resolve(_server);
       });
       _server.on('error', reject);