From 3d9f9fefe41cf0f4d83a893c927fd9c50b5fcabd Mon Sep 17 00:00:00 2001
From: Trevor DeVore <trevor@screensteps.com>
Date: Tue, 16 Sep 2014 23:50:38 -0400
Subject: [PATCH 1/2] The OAuth callback validator was overly aggressive.
 Desktop applications can use the localhost in order to listen for the
 response from the OAuth server. In addition, it may listen on a non-standard
 port. This updated code only verifies the scheme and host. It also adds a WP
 filter that allows localhost in the URL.

---
 lib/class-wp-json-authentication-oauth1-authorize.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/class-wp-json-authentication-oauth1-authorize.php b/lib/class-wp-json-authentication-oauth1-authorize.php
index 6273571..d2185d8 100644
--- a/lib/class-wp-json-authentication-oauth1-authorize.php
+++ b/lib/class-wp-json-authentication-oauth1-authorize.php
@@ -152,8 +152,14 @@ public function handle_callback_redirect( $verifier ) {
 		$callback = $this->token['callback'];
 
 		// Ensure the URL is safe to access
-		$callback = wp_http_validate_url( $callback );
-		if ( empty( $callback ) ) {
+		// wp_http_validate_url is overly restrictive for desktop applications which might use 
+		// 127.0.0.1:xx for the callback. Add hook that allows localhost and check scheme/host of URL.
+		$filtered_callback = parse_url($callback);
+		$filtered_callback = $filtered_callback['scheme'] . '://' . $filtered_callback['host'];
+		add_filter( 'http_request_host_is_external', array('WP_JSON_Authentication_OAuth1_Authorize', 'http_request_allow_external') );
+		$filtered_callback = wp_http_validate_url( $filtered_callback );
+		remove_filter( 'http_request_host_is_external', array('WP_JSON_Authentication_OAuth1_Authorize', 'http_request_allow_external') );
+		if ( empty( $filtered_callback ) ) {
 			return new WP_Error( 'json_oauth1_invalid_callback', __( 'The callback URL is invalid' ), array( 'status' => 400 ) );
 		}
 

From 51154ac41a2131911125dde2ae532644abd7738a Mon Sep 17 00:00:00 2001
From: Trevor DeVore <trevor@screensteps.com>
Date: Wed, 17 Sep 2014 00:25:03 -0400
Subject: [PATCH 2/2] Added the filter callback.

---
 lib/class-wp-json-authentication-oauth1-authorize.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/class-wp-json-authentication-oauth1-authorize.php b/lib/class-wp-json-authentication-oauth1-authorize.php
index d2185d8..cd81880 100644
--- a/lib/class-wp-json-authentication-oauth1-authorize.php
+++ b/lib/class-wp-json-authentication-oauth1-authorize.php
@@ -176,7 +176,16 @@ public function handle_callback_redirect( $verifier ) {
 
 		return null;
 	}
-
+	
+	/**
+	 * Allows for local URLs in the OAuth callback.
+	 *
+	 * @return true
+	 */
+	 public function http_request_allow_external( $allow ) {
+	 	return true;
+	 }
+	 
 	/**
 	 * Display an error using login page wrapper
 	 *