Extend IsClientIDMetadataDocumentURL to accept http://localhost URLs

amirejaz · claude · amirejaz · commit 5d11a41cf09c · 2026-05-26T02:08:47.000+05:00
The embedded AS must resolve CIMD client_ids for local development and testing the same way FetchClientMetadataDocument does — accepting http://localhost and http://127.x.x.x in addition to https://. This brings IsClientIDMetadataDocumentURL in line with validateCIMDClientURL in pkg/oauthproto/cimd/fetch.go which already permits these schemes. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
diff --git a/pkg/oauthproto/cimd.go b/pkg/oauthproto/cimd.go
@@ -12,11 +12,39 @@ import "strings"
 // be used in production.
 const ToolHiveClientMetadataDocumentURL = "https://toolhive.dev/oauth/client-metadata.json"
 
-// IsClientIDMetadataDocumentURL returns true if clientID is an HTTPS URL.
-// Any HTTPS URL is treated as a CIMD client_id; DCR-issued IDs are always
-// opaque strings that never begin with "https://". Do not tighten this to an
-// exact match against ToolHiveClientMetadataDocumentURL — the embedded AS
-// must accept CIMD URLs from third-party clients too.
+// IsClientIDMetadataDocumentURL returns true if clientID looks like a CIMD URL.
+// In production this means any HTTPS URL; in local development http://localhost
+// (and http://127.x.x.x) URLs are also accepted so that integration tests can
+// use plain httptest.Server instances without TLS setup. DCR-issued IDs are
+// always opaque strings that never begin with a URL scheme, so there is no risk
+// of false positives. Do not tighten this to an exact match against
+// ToolHiveClientMetadataDocumentURL — the embedded AS must accept CIMD URLs
+// from third-party clients too.
 func IsClientIDMetadataDocumentURL(clientID string) bool {
-	return strings.HasPrefix(clientID, "https://")
+	if strings.HasPrefix(clientID, "https://") {
+		return true
+	}
+	// Allow http://localhost and http://127.x.x.x for local development and
+	// integration testing. These are the only HTTP URLs that
+	// FetchClientMetadataDocument / validateCIMDClientURL also accept.
+	if strings.HasPrefix(clientID, "http://") {
+		return IsLoopbackHost(hostFromURL(clientID))
+	}
+	return false
+}
+
+// hostFromURL extracts the host (without port) from a raw URL string for the
+// narrow purpose of IsClientIDMetadataDocumentURL's loopback check. It avoids
+// importing net/url so this leaf package stays import-free. A full URL parse
+// is performed by FetchClientMetadataDocument before any network I/O.
+func hostFromURL(rawURL string) string {
+	// Strip scheme
+	rest := strings.TrimPrefix(rawURL, "http://")
+	// Extract host (up to first '/', '?', or '#')
+	for i, c := range rest {
+		if c == '/' || c == '?' || c == '#' {
+			return rest[:i]
+		}
+	}
+	return rest
 }
