(rawUrl: string | null | undefined)
| 12 | * http allowed only for loopback addresses during local development. |
| 13 | */ |
| 14 | export function assertSafeOauthServerUrl(rawUrl: string | null | undefined): URL { |
| 15 | if (!rawUrl) throw new McpOauthInsecureUrlError(String(rawUrl)) |
| 16 | let parsed: URL |
| 17 | try { |
| 18 | parsed = new URL(rawUrl) |
| 19 | } catch { |
| 20 | throw new McpOauthInsecureUrlError(rawUrl) |
| 21 | } |
| 22 | if (parsed.protocol === 'https:') return parsed |
| 23 | if (parsed.protocol === 'http:' && isLoopbackHostname(parsed.hostname)) return parsed |
| 24 | throw new McpOauthInsecureUrlError(rawUrl) |
| 25 | } |
no test coverage detected