ATlast — you'll never need to find your favorites on another platform again. Find your favs in the ATmosphere.
atproto
fix(api): use 127.0.0.1 for oauth loopback
+6
-7
+6
-7
packages/api/src/infrastructure/oauth/config.ts
+6
-7
packages/api/src/infrastructure/oauth/config.ts
···
49
49
50
50
// Local OAuth configuration (loopback)
51
51
if (isLocal) {
52
-
const currentHost = host || "localhost:3000";
53
-
const protocol = currentHost.includes("127.0.0.1")
54
-
? "http://127.0.0.1"
55
-
: "http://localhost";
56
-
52
+
// RFC 8252 requires loopback clients to use IP address, not hostname
53
+
// Always use 127.0.0.1 for AT Protocol OAuth compatibility
54
+
const currentHost = host || "127.0.0.1:3000";
57
55
const port = currentHost.split(":")[1] || "3000";
58
-
const redirectUri = `${protocol}:${port}/api/auth/oauth-callback`;
56
+
const redirectUri = `http://127.0.0.1:${port}/api/auth/oauth-callback`;
59
57
60
-
// ClientID must start with localhost
58
+
// Client ID for loopback uses http://localhost with redirect_uri as query param
59
+
// But the redirect_uri itself MUST use 127.0.0.1
61
60
const clientId = `http://localhost?${new URLSearchParams([
62
61
["redirect_uri", redirectUri],
63
62
["scope", CONFIG.OAUTH_SCOPES],