From 8a31270ec1d2adce8363cf8e09d8e8f1d26d635d Mon Sep 17 00:00:00 2001
From: MorganOnCode <87934408+MorganOnCode@users.noreply.github.com>
Date: Fri, 15 May 2026 10:40:30 +0000
Subject: [PATCH] fix(demo): self-call host respects config.server.host

Closes audit #14. The demo route makes loopback fetch calls to its own
server (/supported, /verify, /settle, etc. -- a 7-step live demo). The
URL was hardcoded to http://127.0.0.1:${port}, which works because we
listen on 0.0.0.0 in production and 127.0.0.1 inside the container
reaches the same process. But it's brittle: any operator who changes
server.host to a specific IP would break the demo.

Fix: read fastify.config.server.host, and substitute 127.0.0.1 when the
configured host is the wildcard 0.0.0.0 (since the wildcard isn't a
valid client address).

No production behaviour change today -- server.host stays 0.0.0.0 so
the resulting URL is identical (127.0.0.1:port). The fix simply makes
the route honor whatever the operator configures.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/routes/demo.ts | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/routes/demo.ts b/src/routes/demo.ts
index 8d2f0eb..4b76858 100644
--- a/src/routes/demo.ts
+++ b/src/routes/demo.ts
@@ -93,7 +93,12 @@ const demoRoutes: FastifyPluginCallback = (fastify, _options, done) => {
 
     demoRunning = true;
 
-    const serverUrl = `http://127.0.0.1:${fastify.config.server.port}`;
+    // Self-call uses the configured server.host so the demo works with any
+    // bind address. When listening on the wildcard (0.0.0.0), substitute
+    // 127.0.0.1 since the wildcard isn't a valid client address.
+    const configuredHost = fastify.config.server.host;
+    const selfHost = configuredHost === '0.0.0.0' ? '127.0.0.1' : configuredHost;
+    const serverUrl = `http://${selfHost}:${fastify.config.server.port}`;
 
     try {
       // ---- Step 1: Health check ----
@@ -143,9 +148,10 @@ const demoRoutes: FastifyPluginCallback = (fastify, _options, done) => {
         detail: 'Connecting to Cardano Preview testnet via Blockfrost…',
       });
 
-      const blockfrostUrl = demoNetwork === 'Preprod'
-        ? 'https://cardano-preprod.blockfrost.io/api/v0'
-        : 'https://cardano-preview.blockfrost.io/api/v0';
+      const blockfrostUrl =
+        demoNetwork === 'Preprod'
+          ? 'https://cardano-preprod.blockfrost.io/api/v0'
+          : 'https://cardano-preview.blockfrost.io/api/v0';
       const provider = new Blockfrost(blockfrostUrl, blockfrostKey);
       const lucid = await Lucid(provider, demoNetwork);
       lucid.selectWallet.fromSeed(seedPhrase);