Web developers who have previously ran an application on
`http://localhost` that enabled HSTS (HTTP Strict Transport Security)
will find themselves unable to authenticate because their browser
(typically Safari, in practice) will keep redirecting them to
`https://localhost`, which isn't handled by our local server.
This switches the authorization callback to be to `127.0.0.1`, which
should be equivalent to `localhost`, but not subject to HSTS.
Mitigates https://github.com/cli/cli/issues/297
This adds some more information to the output when authentication fails
due to `gh` being unable to open a browser. It communicates the details
of the workaround without the user having to search issues on the `gh`
repo to see how to get around it.
Before, the local server handled any request regardless of path, which
could potentially include requests generated by the browser such as the
one for favicon. This could lead to race conditions around reading the
code to continue to OAuth flow with.
Now, have the OAuth flow redirect to `localhost:PORT/callback` and only
handle `/callback` requests specifically.
