From 432b31c7b1f364dd911895320e74651000ea3b4e Mon Sep 17 00:00:00 2001
From: Pleasure1234 <3196812536@qq.com>
Date: Wed, 17 Dec 2025 02:11:11 +0000
Subject: [PATCH] fix: Bind OAuth callback server to localhost (#11956)

Updated the server to listen explicitly on 127.0.0.1 instead of all interfaces. The log message was also updated to reflect the new binding address.
---
 src/main/services/mcp/oauth/callback.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/services/mcp/oauth/callback.ts b/src/main/services/mcp/oauth/callback.ts
index c13ecd5c0..7da754458 100644
--- a/src/main/services/mcp/oauth/callback.ts
+++ b/src/main/services/mcp/oauth/callback.ts
@@ -128,8 +128,8 @@ export class CallBackServer {
     })
 
     return new Promise<http.Server>((resolve, reject) => {
-      server.listen(port, () => {
-        logger.info(`OAuth callback server listening on port ${port}`)
+      server.listen(port, '127.0.0.1', () => {
+        logger.info(`OAuth callback server listening on 127.0.0.1:${port}`)
         resolve(server)
       })