From 34beab2294fb6087751212ff99900e87a1b97e8e Mon Sep 17 00:00:00 2001
From: Samuel Plumppu <6125097+Greenheart@users.noreply.github.com>
Date: Tue, 30 Sep 2025 11:40:52 +0200
Subject: [PATCH 1/2] Only redirect to loopback if the storage uses OAuth
 redirects.

This makes it possible to use the `local` storage with `localhost` which makes Keystatic more consistent with other Git-based CMSes.

Also documented why the loopback redirect is necessary.
---
 packages/keystatic/src/app/ui.tsx | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/packages/keystatic/src/app/ui.tsx b/packages/keystatic/src/app/ui.tsx
index e4501a355..541ef7d96 100644
--- a/packages/keystatic/src/app/ui.tsx
+++ b/packages/keystatic/src/app/ui.tsx
@@ -4,6 +4,7 @@ import {
   useContext,
   useEffect,
   useState,
+  Fragment,
 } from 'react';
 
 import { Button } from '@keystar/ui/button';
@@ -269,6 +270,10 @@ function AuthWrapper(props: {
   return null;
 }
 
+/**
+ * Use loopback instead of localhost to follow OAuth best practices.
+ * Learn more: https://datatracker.ietf.org/doc/html/rfc8252#section-8.3
+ */
 function RedirectToLoopback(props: { children: ReactNode }) {
   useEffect(() => {
     if (window.location.hostname === 'localhost') {
@@ -292,9 +297,13 @@ export function Keystatic(props: {
     assertValidRepoConfig(props.config.storage.repo);
   }
 
+  // The loopback redirect is only needed if the storage uses OAuth callbacks.
+  const Wrapper =
+    props.config.storage.kind === 'local' ? Fragment : RedirectToLoopback;
+
   return (
     <ClientOnly>
-      <RedirectToLoopback>
+      <Wrapper>
         <AppSlugProvider value={props.appSlug}>
           <RouterProvider>
             <Provider config={props.config}>
@@ -302,7 +311,7 @@ export function Keystatic(props: {
             </Provider>
           </RouterProvider>
         </AppSlugProvider>
-      </RedirectToLoopback>
+      </Wrapper>
     </ClientOnly>
   );
 }

From 77866674516f0a240f7c1a8ac400a7d083ba85a8 Mon Sep 17 00:00:00 2001
From: Samuel Plumppu <6125097+Greenheart@users.noreply.github.com>
Date: Tue, 30 Sep 2025 11:48:45 +0200
Subject: [PATCH 2/2] Add changeset

---
 .changeset/cyan-buttons-obey.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/cyan-buttons-obey.md

diff --git a/.changeset/cyan-buttons-obey.md b/.changeset/cyan-buttons-obey.md
new file mode 100644
index 000000000..9052139ab
--- /dev/null
+++ b/.changeset/cyan-buttons-obey.md
@@ -0,0 +1,5 @@
+---
+'@keystatic/core': patch
+---
+
+Only redirect to loopback if the storage uses OAuth redirects.