OAuth redirect uses 127.0.0.1 instead of localhost — causes 400 Bad Request for Desktop App clients

[Asborien]

Problem

The OAuth authentication flow in auth.js uses http://127.0.0.1:<port> as the redirect URI:

await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
const redirectUri = `http://127.0.0.1:${port}`;

Google's OAuth for Desktop App clients only accepts http://localhost redirects, not http://127.0.0.1. This results in a 400 Bad Request error when the user tries to authorise the app.

From Google's documentation:

For loopback IP redirect URIs, use localhost rather than the literal loopback IP address. [...] The 127.0.0.1 form is not supported for desktop app redirect URIs.

Fix

Change all three occurrences in src/auth.ts:

- await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
+ await new Promise((resolve) => server.listen(0, 'localhost', resolve));

- const redirectUri = `http://127.0.0.1:${port}`;
+ const redirectUri = `http://localhost:${port}`;

- const url = new URL(req.url, `http://127.0.0.1:${port}`);
+ const url = new URL(req.url, `http://localhost:${port}`);

Environment

• @a-bonus/google-docs-mcp v1.3.1
• WSL2 (Ubuntu) on Windows 11
• OAuth client type: Desktop App
• Google Cloud project with Docs, Sheets, Drive, Apps Script APIs enabled

[a-bonus]

feel free to make a pr!