Avoid redirecting to localhost during authorization flow

mislav · mislav · commit 71d3696667b1 · 2020-03-13T13:40:04.000+01:00
Web developers who have previously ran an application on
`http://localhost` that enabled HSTS (HTTP Strict Transport Security)
will find themselves unable to authenticate because their browser
(typically Safari, in practice) will keep redirecting them to
`https://localhost`, which isn't handled by our local server.

This switches the authorization callback to be to `127.0.0.1`, which
should be equivalent to `localhost`, but not subject to HSTS.
diff --git a/auth/oauth.go b/auth/oauth.go
@@ -47,7 +47,7 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
 
 	q := url.Values{}
 	q.Set("client_id", oa.ClientID)
-	q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d/callback", port))
+	q.Set("redirect_uri", fmt.Sprintf("http://127.0.0.1:%d/callback", port))
 	// TODO: make scopes configurable
 	q.Set("scope", "repo")
 	q.Set("state", state)
