@mintlify/common
Version:
Commonly shared code within Mintlify
31 lines (30 loc) • 2.1 kB
JavaScript
import { describe, expect, it } from 'vitest';
import { isAllowedAdminMcpRedirectUri } from './knownMcpClients.js';
describe('isAllowedAdminMcpRedirectUri', () => {
it('allows loopback addresses', () => {
expect(isAllowedAdminMcpRedirectUri('http://localhost:3000/callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('http://127.0.0.1:8080/cb', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('http://[::1]:3000/cb', [])).toBe(true);
});
it('allows known public MCP clients', () => {
expect(isAllowedAdminMcpRedirectUri('https://claude.ai/api/mcp/auth_callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://claude.com/api/mcp/auth_callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://chatgpt.com/connector_oauth', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://chat.openai.com/connector_oauth', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('cursor://anysphere.cursor-mcp/callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://api.gumloop.com/auth/callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://beta.api.gumloop.com/auth/callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://staging.api.gumloop.com/auth/callback', [])).toBe(true);
expect(isAllowedAdminMcpRedirectUri('https://api.gumstack.com/auth/callback', [])).toBe(true);
});
it('rejects unknown remote hosts when not allowlisted by the deployment', () => {
expect(isAllowedAdminMcpRedirectUri('https://attacker.example/cb', [])).toBe(false);
});
it('allows hosts the deployment has explicitly allowlisted', () => {
expect(isAllowedAdminMcpRedirectUri('https://internal.acme.com/cb', ['internal.acme.com'])).toBe(true);
});
it('rejects dangerous protocols', () => {
expect(isAllowedAdminMcpRedirectUri('javascript:alert(1)', [])).toBe(false);
expect(isAllowedAdminMcpRedirectUri('data:text/html,<h1>hi</h1>', [])).toBe(false);
});
});