Fix guide · low · oauth_redirect_uri_localhost

OAuth redirect_uri points at localhost in a production bundle

Why it matters

This isn't a credential exposure. It's a deploy-pipeline smell that tends to come bundled with one.

The likely scenario:

• A developer wired OAuth on their laptop with http://localhost:3000/auth/callback registered at the provider.
• The same string got committed to the bundle as a hard-coded fallback.
• Production builds use the same bundle without environment substitution.

The functional consequence: when a user clicks "Login with Google" on your production site, they get redirected to the provider, then bounced to http://localhost:3000/auth/callback — which their browser interprets as their own machine, where nothing is listening. Login appears to fail silently for everyone except developers running the app locally.

The security adjacent: if localhost is hard-coded for OAuth, it's likely hard-coded elsewhere too — supabase URL, API host, Stripe webhook secret. Worth grep'ing the bundle.

How to fix it

1. Remove the localhost OAuth config from the production build. Your bundler (Vite, Next, Webpack) should be reading per-environment env vars at build time.
2. Verify the production OAuth provider allowlist — remove the localhost entry entirely from the production app's registered redirect URIs. Localhost belongs in a separate "development" OAuth client.
3. Maintain two OAuth clients per provider when possible: one with http://localhost:* allowed, used only by your dev team; one production-only with the real callback URL allowed.
4. Add a build-time assertion: in your config layer, throw if process.env.NODE_ENV === "production" and the OAuth callback URL contains localhost.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.