RUN  v4.1.10 /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/repro/fixed stdout | repro-sso-ssrf.test.ts > SSO SSRF via real HTTP service > registers a malicious SSO provider and triggers SSRF + account takeover register response: 400 { "message": "The authorizationEndpoint URL (http://127.0.0.1:9876/authorize) is not publicly routable: 127.0.0.1. If this is an internal IdP, add its origin to trustedOrigins.", "code": "discovery_private_host" } ❯ repro-sso-ssrf.test.ts (1 test | 1 failed) 128ms  × registers a malicious SSO provider and triggers SSRF + account takeover 121ms ⎯⎯⎯⎯⎯⎯⎯ Failed Tests 1 ⎯⎯⎯⎯⎯⎯⎯  FAIL  repro-sso-ssrf.test.ts > SSO SSRF via real HTTP service > registers a malicious SSO provider and triggers SSRF + account takeover AssertionError: expected 400 to be 200 // Object.is equality - Expected + Received - 200 + 400  ❯ repro-sso-ssrf.test.ts:160:33 158| }); 159| console.log("register response:", register.res.status, JSON.string… 160| expect(register.res.status).toBe(200);  | ^ 161| expect(register.body?.providerId).toBe("evil-sso"); 162| ⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯[1/1]⎯  Test Files  1 failed (1)  Tests  1 failed (1)  Start at  23:29:37  Duration  526ms (transform 19ms, setup 0ms, import 320ms, tests 128ms, environment 0ms)