@cloudflare/workers-oauth-provider 0.3.0 → 0.3.1

package/dist/oauth-provider.js

@@ -1390,14 +1390,16 @@ function validateRedirectUriScheme(redirectUri) {
 	for (const dangerousScheme of dangerousSchemes) if (scheme === dangerousScheme) throw new Error("Invalid redirect URI");
 }
 /**
-* Checks if a URI is a loopback redirect URI (127.0.0.0/8 or ::1)
-* Per RFC 8252 Section 7.3, these get special port handling
+* Checks if a URI is a loopback redirect URI (127.0.0.0/8, ::1, or localhost).
+* Per RFC 8252 Section 7.3, loopback IPs get special port handling. This library
+* applies the same port flexibility to localhost for native apps (e.g., Claude Code).
 */
 function isLoopbackUri(uri) {
 	try {
 		const host = new URL(uri).hostname;
 		if (host.match(/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/)) return true;
 		if (host === "::1" || host === "[::1]") return true;
+		if (host.toLowerCase() === "localhost") return true;
 		return false;
 	} catch {
 		return false;
@@ -1405,7 +1407,7 @@ function isLoopbackUri(uri) {
 }
 /**
 * Validates a redirect URI against registered URIs with RFC 8252 loopback support.
-* For loopback URIs (127.x.x.x, ::1), any port is allowed as long as scheme, host, path, and query match.
+* For loopback URIs (127.x.x.x, ::1, localhost), any port is allowed as long as scheme, host, path, and query match.
 * For non-loopback URIs, exact match is required.
 */
 function isValidRedirectUri(requestUri, registeredUris) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",