UNPKG

@mintlify/common

Version:

Commonly shared code within Mintlify

31 lines (30 loc) 2.1 kB
import { describe, expect, it } from 'vitest'; import { isAllowedAdminMcpRedirectUri } from './knownMcpClients.js'; describe('isAllowedAdminMcpRedirectUri', () => { it('allows loopback addresses', () => { expect(isAllowedAdminMcpRedirectUri('http://localhost:3000/callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('http://127.0.0.1:8080/cb', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('http://[::1]:3000/cb', [])).toBe(true); }); it('allows known public MCP clients', () => { expect(isAllowedAdminMcpRedirectUri('https://claude.ai/api/mcp/auth_callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://claude.com/api/mcp/auth_callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://chatgpt.com/connector_oauth', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://chat.openai.com/connector_oauth', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('cursor://anysphere.cursor-mcp/callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://api.gumloop.com/auth/callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://beta.api.gumloop.com/auth/callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://staging.api.gumloop.com/auth/callback', [])).toBe(true); expect(isAllowedAdminMcpRedirectUri('https://api.gumstack.com/auth/callback', [])).toBe(true); }); it('rejects unknown remote hosts when not allowlisted by the deployment', () => { expect(isAllowedAdminMcpRedirectUri('https://attacker.example/cb', [])).toBe(false); }); it('allows hosts the deployment has explicitly allowlisted', () => { expect(isAllowedAdminMcpRedirectUri('https://internal.acme.com/cb', ['internal.acme.com'])).toBe(true); }); it('rejects dangerous protocols', () => { expect(isAllowedAdminMcpRedirectUri('javascript:alert(1)', [])).toBe(false); expect(isAllowedAdminMcpRedirectUri('data:text/html,<h1>hi</h1>', [])).toBe(false); }); });