Make OAuth flow work for local development #745

jake-low · 2025-07-26T06:03:11Z

I've modified the OAuth redirect logic to support the workflow where a developer runs the frontend locally while using the production website's backend API. When the initial request's Origin header is localhost or 127.0.0.1, that hostname is used as the redirect target, rather than the configured value that would normally be used.

To do this, we're now constructing an OAuth2Session instance per request. In OSMCha/osmcha-frontend#743 (comment) I speculated that this might not be safe, but I now believe that it is. The front page of requests-oauthlib's docs actually demonstrates exactly this pattern.

Once this is deployed to production, you'll be able to run osmcha-frontend using yarn run start (which by default uses REACT_APP_PRODUCTION_API_URL='https://osmcha.org/api/v1'), and click the "Sign in" button to log in as if you were logging in on osmcha.org. Upon successful authentication you'll be redirected back to your local development frontend.

I tested this manually by poking the API server with curl. In the below examples, the development server thinks that it's running on http://osmcha.example.com (and OAUTH_REDIRECT_URI is set accordingly).

localhost:

$ curl -X POST -H "Origin: http://localhost:3000" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://localhost:3000/authorized

127.0.0.1:

$ curl -X POST -H "Origin: http://127.0.0.1:3000" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://127.0.0.1:3000/authorized

HTTPS localhost:

$ curl -X POST -H "Origin: https://localhost:8080" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
https://localhost:8080/authorized

Production domain:

$ curl -X POST -H "Origin: https://osmcha.example.com" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://osmcha.example.com/authorized

No Origin header:

$ curl -X POST http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://osmcha.example.com/authorized

Malformed Origin header:

$ curl -X POST -H "Origin: lol-not-a-url" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://osmcha.example.com/authorized

Malicious domain no. 1 (unrelated domain attempting to authenticate via OSMCha)

$ curl -X POST -H "Origin: https://evil.com" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://osmcha.example.com/authorized

Malicious domain no. 2 (contains "localhost" as a substring):

$ curl -X POST -H "Origin: https://notlocalhost.com" http://localhost:8000/api/v1/social-auth/ | jq -r .auth_url | trurl -f - -g '{query:redirect_uri}'
http://osmcha.example.com/authorized

This commit modifies the OAuth redirect logic to support the workflow where a developer runs the frontend locally while using the production website's backend API. When the initial request's Origin header is localhost or 127.0.0.1, that hostname is used as the redirect target, rather than the configured value that would normally be used.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Make OAuth flow work for local development #745

Make OAuth flow work for local development #745

Uh oh!

jake-low commented Jul 26, 2025

Uh oh!

Uh oh!

Make OAuth flow work for local development #745

Are you sure you want to change the base?

Make OAuth flow work for local development #745

Uh oh!

Conversation

jake-low commented Jul 26, 2025

Uh oh!

Uh oh!