From 71d3696667b14d6cd3274e3ccfbb75d88792c588 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mislav=20Marohni=C4=87?= <mislav.marohnic@gmail.com>
Date: Fri, 13 Mar 2020 13:40:04 +0100
Subject: [PATCH] Avoid redirecting to `localhost` during authorization flow

Web developers who have previously ran an application on
`http://localhost` that enabled HSTS (HTTP Strict Transport Security)
will find themselves unable to authenticate because their browser
(typically Safari, in practice) will keep redirecting them to
`https://localhost`, which isn't handled by our local server.

This switches the authorization callback to be to `127.0.0.1`, which
should be equivalent to `localhost`, but not subject to HSTS.
---
 auth/oauth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth/oauth.go b/auth/oauth.go
index 74c7ab6b6..0a7ef93eb 100644
--- a/auth/oauth.go
+++ b/auth/oauth.go
@@ -47,7 +47,7 @@ func (oa *OAuthFlow) ObtainAccessToken() (accessToken string, err error) {
 
 	q := url.Values{}
 	q.Set("client_id", oa.ClientID)
-	q.Set("redirect_uri", fmt.Sprintf("http://localhost:%d/callback", port))
+	q.Set("redirect_uri", fmt.Sprintf("http://127.0.0.1:%d/callback", port))
 	// TODO: make scopes configurable
 	q.Set("scope", "repo")
 	q.Set("state", state)