Remove loopback redirect URIs — web apps can't use them per ATProto spec

OAuth only works on coffee.apoena.dev. Local dev is for UI only.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

public/client-metadata.json

@@ -3,9 +3,7 @@
   "client_name": "Coffee Map",
   "client_uri": "https://coffee.apoena.dev",
   "redirect_uris": [
-    "https://coffee.apoena.dev/oauth/callback",
-    "http://127.0.0.1:5173/oauth/callback",
-    "http://127.0.0.1:5174/oauth/callback"
+    "https://coffee.apoena.dev/oauth/callback"
   ],
   "grant_types": ["authorization_code", "refresh_token"],
   "response_types": ["code"],

src/lib/atproto.ts

@@ -5,9 +5,8 @@ import { Agent } from '@atproto/api'
 // so the PDS can fetch it — even in local dev.
 const PROD_URL = 'https://coffee.apoena.dev'
 
-// redirect_uri is dynamic so local dev redirects back to the right origin.
-// RFC 8252 forbids "localhost" — replace with 127.0.0.1 for loopback.
-const ORIGIN = window.location.origin.replace('localhost', '127.0.0.1')
+// OAuth only works on the deployed domain (web apps can't use loopback).
+const ORIGIN = PROD_URL
 
 let _client: BrowserOAuthClient | null = null
 

vite.config.ts

@@ -5,9 +5,6 @@ import UnoCSS from 'unocss/vite'
 import { fileURLToPath } from 'node:url'
 
 export default defineConfig({
-  server: {
-    host: '127.0.0.1',
-  },
   resolve: {
     alias: {
       '@': fileURLToPath(new URL('./src', import.meta.url)),