Skip to content

Allow dev fake attestation on loopback ports#85

Merged
AnthonyRonning merged 1 commit into
masterfrom
codex-sdk-issue-83-opensecret-sdk
Jun 19, 2026
Merged

Allow dev fake attestation on loopback ports#85
AnthonyRonning merged 1 commit into
masterfrom
codex-sdk-issue-83-opensecret-sdk

Conversation

@AnthonyRonning

@AnthonyRonning AnthonyRonning commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace the exact port-3000 dev attestation URL check with a URL parser for local HTTP API hosts
  • Allow 127.0.0.1, localhost, 0.0.0.0, and [::1] on any port, including trailing slashes
  • Add Bun coverage for local, production, HTTPS localhost, and invalid URL cases

Fixes #83

Verification

  • VITE_OPEN_SECRET_API_URL=http://127.0.0.1:31110 nix develop -c bun test src/lib/test/integration/attestation.test.ts --timeout 30000
  • nix develop -c ./node_modules/.bin/prettier --check src/lib/attestation.ts src/lib/test/integration/attestation.test.ts
  • nix develop -c bun run build

Open in Devin Review

Summary by CodeRabbit

  • Tests

    • Added integration tests for local development API detection across various hostname and protocol configurations.
  • Improvements

    • Enhanced attestation verification to support a broader range of local development environments, including different hostnames and IPv6 addresses, beyond specific port configurations.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7df5664-5eea-49e1-a417-305792809e53

📥 Commits

Reviewing files that changed from the base of the PR and between e5271fc and 47eadb7.

📒 Files selected for processing (2)
  • src/lib/attestation.ts
  • src/lib/test/integration/attestation.test.ts

📝 Walkthrough

Walkthrough

A new exported helper isLocalDevelopmentApiUrl is added to attestation.ts. It checks whether a URL uses the http: protocol and a loopback hostname (127.0.0.1, localhost, 0.0.0.0, or [::1]), with no port constraint. verifyAttestation's dev-mode branch is updated to call this helper instead of matching exact localhost:3000 strings. Integration tests are added to cover both true and false cases.

Changes

Local dev URL detection and attestation wiring

Layer / File(s) Summary
isLocalDevelopmentApiUrl helper and verifyAttestation wiring
src/lib/attestation.ts
Defines LOCAL_DEVELOPMENT_API_HOSTS (four loopback hostnames) and the exported isLocalDevelopmentApiUrl function that returns true only for http: URLs with a loopback hostname; replaces the hardcoded :3000 string comparisons in verifyAttestation's dev-mode branch with a call to this helper.
Integration tests for isLocalDevelopmentApiUrl
src/lib/test/integration/attestation.test.ts
Updates the import to a multiline named import and adds two parameterized test cases: truthy for loopback IP, localhost, and IPv6 variants on arbitrary ports; falsy for production URLs, scheme-less strings, and invalid inputs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Poem

🐰 No more port three-thousand chains,
Any loopback hostname now remains!
isLocalDevelopmentApiUrl checks the scheme,
IPv6, localhost — all part of the dream.
From [::1] to 0.0.0.0 we hop,
This little helper makes the hardcoding stop! 🎉

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately describes the main change: replacing hardcoded port 3000 checks with port-agnostic loopback detection for dev fake attestation.
Linked Issues check ✅ Passed The changes directly address all coding requirements from issue #83: port-agnostic loopback detection supporting 127.0.0.1, localhost, 0.0.0.0, [::1] on any port with trailing slash tolerance, plus comprehensive test coverage.
Out of Scope Changes check ✅ Passed All changes are directly scoped to addressing issue #83: adding isLocalDevelopmentApiUrl helper and updating verifyAttestation logic with corresponding test coverage; no unrelated modifications.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex-sdk-issue-83-opensecret-sdk

Comment @coderabbitai help to get the list of available commands and usage tips.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying opensecret-sdk with  Cloudflare Pages  Cloudflare Pages

Latest commit: 47eadb7
Status: ✅  Deploy successful!
Preview URL: https://9ec9a72e.opensecret-sdk.pages.dev
Branch Preview URL: https://codex-sdk-issue-83-opensecre.opensecret-sdk.pages.dev

View logs

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

Open in Devin Review

@AnthonyRonning AnthonyRonning merged commit 92f7c5a into master Jun 19, 2026
9 checks passed
@AnthonyRonning AnthonyRonning deleted the codex-sdk-issue-83-opensecret-sdk branch June 19, 2026 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Dev fake attestation only works on exact port 3000

1 participant