fix(oauth): allow wildcard ChatGPT callback URI pattern

ChatGPT regenerates its GPT ID (and callback URL) every time the GPT is saved, making exact redirect_uri matching impossible. Added support for the registered URI pattern https://chat.openai.com/aip/*/oauth/callback which matches any valid ChatGPT GPT callback via regex. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 00:15:46 -04:00
parent c6504ec60f
commit c270f8f74b
2 changed files with 5 additions and 1 deletions
--- a/hermes-k8s.yaml
+++ b/hermes-k8s.yaml
@@ -22,7 +22,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: hermes-mcp
-          image: localhost:32000/hermes-mcp@sha256:d98ef6d2fde25c11233f614f839b09958bfb772c9a5b26fe8374cf6ffd5417a2
+          image: localhost:32000/hermes-mcp@sha256:6685df4c86cceeaeb645c9ccee32f9396915a7c30e57f685945056c92516723d
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
--- a/src/oauth.ts
+++ b/src/oauth.ts
@@ -181,10 +181,14 @@ export async function createAuthCode(
  return code;
 }

+const CHATGPT_CALLBACK_RE = /^https:\/\/chat\.openai\.com\/aip\/g-[a-f0-9]+\/oauth\/callback$/;
+
 export function isValidRedirectUri(uri: string, registeredUris: string[]): boolean {
  for (const registered of registeredUris) {
    if (registered === uri) return true;
    if (registered === 'http://localhost:*' && /^http:\/\/localhost:\d+(\/|$)/.test(uri)) return true;
+    // Allow any ChatGPT GPT callback — GPT ID changes every time the GPT is saved
+    if (registered === 'https://chat.openai.com/aip/*/oauth/callback' && CHATGPT_CALLBACK_RE.test(uri)) return true;
  }
  return false;
 }