Skip to content

fix(proxy): suppress SAST HttpToHttps false positive in OAuth callback server#2

Open
m-golovchin wants to merge 2 commits into
mainfrom
EPMCDME-12199
Open

fix(proxy): suppress SAST HttpToHttps false positive in OAuth callback server#2
m-golovchin wants to merge 2 commits into
mainfrom
EPMCDME-12199

Conversation

@m-golovchin

Copy link
Copy Markdown
Owner

Summary

  • Adds a detailed RFC 8252 §8.3 rationale comment to src/mcp/auth/callback-server.ts explaining why http.createServer is intentional for the localhost-only ephemeral OAuth callback server
  • Creates .snyk policy file to suppress the Snyk SAST Javascript/HttpToHttps finding for this file

Why HTTP is correct here

RFC 8252 §8.3 (OAuth 2.0 for Native Apps) explicitly permits plain HTTP for loopback redirect URIs:

  • The server binds exclusively to localhost — no network exposure
  • HTTPS on localhost requires a self-signed certificate that browsers reject with security warnings, breaking the OAuth UX
  • The authorization code is a short-lived, single-use value exchanged immediately for tokens
  • All major OAuth providers (Google, GitHub, etc.) whitelist http://localhost redirect URIs per the same RFC

Note on .snyk format

The .snyk ignore key javascript/HttpToHttps follows the Snyk Code rule name from the ticket. If the Snyk plan requires a different format, the entry can be updated via the Snyk web UI (which will regenerate the .snyk entry with the correct schema for your tier).

Test Plan

  • ESLint passes (0 warnings)
  • TypeScript typecheck passes
  • Build passes

Related

🤖 Generated with Claude Code

MaksymHolovchyn added 2 commits May 20, 2026 13:15
…k server

Adds RFC 8252 §8.3 rationale comment to callback-server.ts explaining why
HTTP is intentional for the localhost-only ephemeral OAuth callback server,
and adds a .snyk policy file to suppress the Javascript/HttpToHttps finding.

Refs: EPMCDME-12199
…ility

Replaces single-quoted glob '{src,tests}/**/*.ts' in lint/lint:fix scripts
with bare directory args 'src tests' — ESLint v9 flat config resolves file
patterns internally, so shell glob expansion is not needed. Adds '**/*.mjs'
to global eslint ignores to preserve the original TypeScript-only scope.
m-golovchin pushed a commit that referenced this pull request Jun 10, 2026
* Add release and publishing documentation to CLAUDE.md

- Added release commands to Common Commands section
- Created comprehensive Release & Publishing Policy section
- Documented step-by-step release process
- Included version bumping strategies
- Added verification commands for npm publish

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: add Release Manager agent with dry run support

Add specialized release-manager agent that automates the complete release process:
- Analyzes git history and generates release notes
- Handles version bumping and git tagging
- Creates GitHub releases and triggers npm publish workflow
- Supports dry runs and resuming from existing tags
- Smart detection of release state (tag exists, release exists, npm published)

Also includes agent system documentation and .gitignore updates.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant