From 6167df084f527ac5e41de9238de00f5a80c46c0f Mon Sep 17 00:00:00 2001
From: Julien Calixte <julien.calixte@theodo.com>
Date: Sat, 28 Mar 2026 23:18:32 +0100
Subject: [PATCH] Replace localhost with 127.0.0.1 in redirect_uris (RFC 8252)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 public/client-metadata.json | 4 ++--
 src/lib/atproto.ts          | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/public/client-metadata.json b/public/client-metadata.json
index 34d2dd5..c69a1eb 100644
--- a/public/client-metadata.json
+++ b/public/client-metadata.json
@@ -4,8 +4,8 @@
   "client_uri": "https://coffee.apoena.dev",
   "redirect_uris": [
     "https://coffee.apoena.dev/oauth/callback",
-    "http://localhost:5173/oauth/callback",
-    "http://localhost:5174/oauth/callback"
+    "http://127.0.0.1:5173/oauth/callback",
+    "http://127.0.0.1:5174/oauth/callback"
   ],
   "grant_types": ["authorization_code", "refresh_token"],
   "response_types": ["code"],
diff --git a/src/lib/atproto.ts b/src/lib/atproto.ts
index 532288e..c662c15 100644
--- a/src/lib/atproto.ts
+++ b/src/lib/atproto.ts
@@ -5,8 +5,9 @@ import { Agent } from '@atproto/api'
 // so the PDS can fetch it — even in local dev.
 const PROD_URL = 'https://coffee.apoena.dev'
 
-// redirect_uri is dynamic so local dev redirects back to localhost
-const ORIGIN = window.location.origin
+// redirect_uri is dynamic so local dev redirects back to the right origin.
+// RFC 8252 forbids "localhost" — replace with 127.0.0.1 for loopback.
+const ORIGIN = window.location.origin.replace('localhost', '127.0.0.1')
 
 let _client: BrowserOAuthClient | null = null