fix(cli): use localhost for CLI callback when app URL is a public hostname

When `multica login` runs against production (multica.ai), the CLI was using the app URL hostname as the callback host, producing a callback URL like `http://multica.ai:PORT/callback`. This URL fails frontend validation (which only allows localhost and private IPs) and can't actually reach the CLI's local HTTP server. Now only private IPs (RFC 1918) are used as the callback host, which matches the intended self-hosted LAN scenario. Public hostnames correctly fall back to localhost. Fixes #974
2026-06-17 11:48:42 +02:00 · 2026-04-14 17:45:42 +08:00
1 changed files with 6 additions and 3 deletions
--- a/server/cmd/multica/cmd_auth.go
+++ b/server/cmd/multica/cmd_auth.go
@@ -99,13 +99,16 @@ func runAuthLoginBrowser(cmd *cobra.Command) error {
 	appURL := resolveAppURL(cmd)

 	// Determine the callback host from the configured app URL.
-	// For self-hosted setups where the browser is on a different machine,
-	// we need to use the server's reachable hostname instead of localhost.
+	// For self-hosted setups where the browser is on a different machine
+	// (e.g. Multica running on a LAN server), use the server's private IP
+	// so the browser can reach the CLI's local HTTP server.
+	// For production (public hostnames like multica.ai), keep localhost —
+	// the browser and CLI are on the same machine.
 	callbackHost := "localhost"
 	bindAddr := "127.0.0.1"
 	if parsed, err := url.Parse(appURL); err == nil {
 		h := parsed.Hostname()
-		if h != "" && h != "localhost" && h != "127.0.0.1" {
+		if ip := net.ParseIP(h); ip != nil && ip.IsPrivate() {
 			callbackHost = h
 			bindAddr = "0.0.0.0"
 		}