OAuth redirect_uri=http://localhost is rejected

[onspli]

Issue Description

When trying to authenticate with OAuth with redirect_uri pointing to localhost with HTTP protocol, the URI is rejected (is not HTTPS).

According to standard, localhost should be accepted without HTTPS.
It looks like this edge case is not handled at all -

stalwart/crates/http/src/auth/oauth/auth.rs

Lines 88 to 100 in 2266634

	// Validate clientId
	if client_id.len() > CLIENT_ID_MAX_LEN {
	return Err(trc::ManageEvent::Error
	.into_err()
	.details("Client ID is invalid."));
	} else if redirect_uri
	.as_ref()
	.is_some_and(|uri| uri.starts_with("http://"))
	{
	return Err(trc::ManageEvent::Error
	.into_err()
	.details("Redirect URI must be HTTPS."));
	}

Expected Behavior

Redirect URI targeting localhost using plain HTTP should be accepted per standard.

Actual Behavior

The login form shows error

Invalid redirect_uri parameter, must be a valid HTTPS URL

Reproduction Steps

1. Start Stalwart server on port 8080
2. Create test user
3. Open http://localhost:8080/authorize/code?redirect_uri=http://localhost in browser and login with test user credentials

Relevant Log Output

No response

Stalwart Version

v0.15.x

Installation Method

Docker

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

Internal

Additional Context

No response

I acknowledge that:

• I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
• I have searched the Stalwart repository (both open and closed Discussions and Issues) and confirm this is not a duplicate.
• I have set the logging level to trace and included relevant log output if applicable.
• I agree to follow the project's Code of Conduct.