hermes-agent/tests/plugins/dashboard_auth
Joey Kerper f3d2dfbec6
fix(dashboard_auth): allow any http:// host in self-hosted OIDC redirect_uri (#55099)
The self-hosted OIDC dashboard login rejected any http:// redirect_uri
whose host was not localhost/127.0.0.1, surfacing "redirect_uri may only use http:// for localhost/127.0.0.1" before reaching the IDP. This broke self-hosted dashboards reached over plain HTTP (including LAN IPs, internal hostnames, and reverse proxies that terminate TLS upstream).

#38827 already dropped this check from the nous provider, but the generic self-hosted provider  copied the old localhost-only
branch and reintroduced the bug for HERMES_DASHBOARD_OIDC_ISSUER setups.

The IDP's own allowlist is authoritative on which redirect_uris are
permitted; this client-side _validate_redirect_uri is only a fast-fail for
obvious operator error and should not second-guess valid http:// deployments.

Fix: drop the localhost-only branch on the http scheme. Validation now enforces only that the scheme is http(s) and the path ends with
/auth/callback. Updated the docstring to explain the relaxed contract,
and added test_allows_http_with_arbitrary_host covering an internal
hostname and a LAN IP alongside the existing localhost case.
2026-06-30 09:45:11 +10:00
..
test_basic_provider.py test(dashboard-auth): cover password login route, provider, and plugin 2026-06-04 01:02:25 -07:00
test_drain_provider.py fix(dashboard-auth): exclude non-interactive providers from interactive login surfaces (#53239) 2026-06-27 10:08:13 +10:00
test_nous_provider.py fix(dashboard_auth): allow any http:// host in redirect_uri fast-fail (#38827) 2026-06-04 00:51:44 -07:00
test_self_hosted_provider.py fix(dashboard_auth): allow any http:// host in self-hosted OIDC redirect_uri (#55099) 2026-06-30 09:45:11 +10:00