백채널 로그아웃 URI 허용 범위 확장

backend/internal/handler/dev_handler.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -2749,16 +2750,35 @@ func validateBackchannelLogoutURI(raw string) error {
 	case "https":
 		return nil
 	case "http":
-		host := strings.ToLower(parsed.Hostname())
-		if host == "localhost" || host == "127.0.0.1" {
+		if isAllowedLocalBackchannelLogoutHost(parsed.Hostname()) {
 			return nil
 		}
-		return fmt.Errorf("backchannelLogoutUri must use https outside localhost development")
+		return fmt.Errorf("backchannelLogoutUri must use https outside local development")
 	default:
 		return fmt.Errorf("backchannelLogoutUri must use http or https")
 	}
 }
 
+func isAllowedLocalBackchannelLogoutHost(rawHost string) bool {
+	host := strings.ToLower(strings.TrimSpace(rawHost))
+	if host == "" {
+		return false
+	}
+
+	switch host {
+	case "localhost", "127.0.0.1", "::1", "host.docker.internal":
+		return true
+	}
+
+	if ip := net.ParseIP(host); ip != nil {
+		return ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast()
+	}
+
+	// Docker service names and other single-label local hostnames are
+	// permitted only for local HTTP development workflows.
+	return !strings.Contains(host, ".")
+}
+
 func normalizeClientAutoLoginMetadata(metadata map[string]interface{}) (map[string]interface{}, error) {
 	if metadata == nil {
 		return metadata, nil