mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

chore(xai-oauth): trim CORS allowlist to xAI auth origins

Browse source 
Drop accounts.mouseion.dev and localhost:20000 / 127.0.0.1:20000 from
the loopback callback CORS allowlist — leftover dev origins. The
redirect_uri is bound to 127.0.0.1 and gated by PKCE + state, so only
xAI's own auth origins are needed.

Co-Authored-By: Jaaneek <Jaaneek@users.noreply.github.com>
This commit is contained in:
teknium1 2026-05-15 12:11:08 -07:00 committed by Teknium
parent 7d7cdd48e0
commit aac6d97a14
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hermes_cli/auth.py
View file

@ -2081,12 +2081,12 @@ def _xai_validate_loopback_redirect_uri(redirect_uri: str) -> tuple[str, int, st
def _xai_callback_cors_origin(origin: Optional[str]) -> str:
# CORS allowlist for the loopback callback. Only xAI's own auth origins
# are accepted; the redirect_uri itself is bound to 127.0.0.1 and gated by
# PKCE+state, so additional dev/3p origins are not needed here.
allowed = {
"https://accounts.x.ai",
"https://auth.x.ai",
"https://accounts.mouseion.dev",
"http://localhost:20000",
"http://127.0.0.1:20000",
}
return origin if origin in allowed else ""