From f4e100dc146d233521e2084c7457dd4e32c53c0f Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Tue, 9 Sep 2014 21:28:08 -0700
Subject: [PATCH] Allow end-of-OAuth redirect URLs to be 127.0.0.1.

We were being too restrictive about validating our redirect at the end
of the OAuth redirect flow: 127.0.0.1 is okay even if ROOT_URL is
localhost.
---
 packages/oauth/oauth_server.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/oauth/oauth_server.js b/packages/oauth/oauth_server.js
index 29ee776d72..ac3dff10ad 100644
--- a/packages/oauth/oauth_server.js
+++ b/packages/oauth/oauth_server.js
@@ -370,7 +370,12 @@ OAuth._endOfLoginResponse = function (res, details) {
   if (details.loginStyle === 'redirect') {
     redirectUrl = OAuth._stateFromQuery(details.query).redirectUrl;
     var appHost = Meteor.absoluteUrl();
-    if (redirectUrl.substr(0, appHost.length) !== appHost) {
+    var appHostReplacedLocalhost = Meteor.absoluteUrl(undefined, {
+      replaceLocalhost: true
+    });
+    if (redirectUrl.substr(0, appHost.length) !== appHost &&
+        redirectUrl.substr(0, appHostReplacedLocalhost.length) !==
+        appHostReplacedLocalhost) {
       details.error = "redirectUrl (" + redirectUrl +
         ") is not on the same host as the app (" + appHost + ")";
       redirectUrl = appHost;