fix(auth): restore AAD local emulator fallback and normalize openIdIssuer URL (#947)

[LongOddCode]

Problem

Two regressions in the custom-auth AAD flow were introduced in 2.0.3 by PR #905. Reported separately as #928, #941, and #947 — this PR fixes the common root causes.

Regression 1 — /.auth/login/aad returns 400 locally

Before 2.0.3, running the CLI against a staticwebapp.config.json that declared an AAD custom-auth provider would serve the local auth emulator at /.auth/login/aad when the referenced env vars were not set. That behaviour is what makes local dev ergonomic: a developer can reuse the production config without provisioning a tenant.

After 2.0.3, checkCustomAuthConfigFields hard-fails:

400 AAD_CLIENT_ID not found in env for 'aad' provider

…which breaks swa start for every user whose config targets AAD.

Regression 2 — /oauth2/v2.0 issuer URL fails discovery

The deployed SWA runtime accepts https://login.microsoftonline.com/<tenant>/oauth2/v2.0 as an alias for the canonical https://login.microsoftonline.com/<tenant>/v2.0. The CLI’s OIDC discovery (via openid-client) does not — it follows redirects from <issuer>/.well-known/openid-configuration and ends up in ERR_TOO_MANY_REDIRECTS. Users therefore need two different openIdIssuer values (one for local, one for prod) which is what #947 describes.

Root Cause

#	Where	What changed in #905
1	auth-login-provider-custom.ts → checkCustomAuthConfigFields	The emulator fallback path was removed. Every missing env var now produces a 400 with no code path to the local emulator.
2	openidHelper.ts → OpenIdHelper ctor	new URL(issuerUrl) is passed directly to client.discovery() without normalization, so a /oauth2/v2.0 suffix breaks discovery.

src/msha/auth/index.ts routes /.auth/login/aad exclusively to the custom-auth handler when isCustomAuth=true, so URL-level fallback is not possible — the delegation must happen in-process.

Fix

File	Change
src/core/utils/openidHelper.ts	Add export function normalizeOpenIdIssuer(url) that rewrites a trailing /oauth2/v2.0 to /v2.0. Wire it into the OpenIdHelper constructor before new URL(...). Covers login.microsoftonline.com, *.ciamlogin.com, and Entra custom URL domains.
src/msha/auth/routes/auth-login-provider-custom.ts	Add shouldFallbackToAadEmulator(providerName, customAuth) — returns true only when provider is aad, the config declares both setting names, and at least one referenced env var is unset (i.e. clearly a local-dev case). Delegate to authLoginProviderEmulator in httpTrigger before checkCustomAuthConfigFields.

Design notes:

• checkCustomAuthConfigFields is unchanged. It is also used by auth-login-provider-callback.ts, which must keep strict 400 semantics — a callback with a real OAuth code has no legitimate reason to fall back to the emulator. Placing the pre-check in the httpTrigger caller avoids coupling the two code paths.
• Config errors still surface as 400. If clientIdSettingName or clientSecretSettingName is missing from the config file entirely (as opposed to referenced-but-unset env vars), we fall through to the existing 400 response. Test case (e) covers this.

Testing

All new and existing tests pass against Node 20.18.0.

Test Files  34 passed (34)
     Tests  502 passed | 14 skipped (516)

New tests (17):

Spec file	Cases
src/core/utils/openidHelper.spec.ts	12 — normalizeOpenIdIssuer correctness across tenant-id / common / organizations, ciamlogin.com, custom Entra domains, canonical URLs preserved, trailing slash preserved, unrelated URLs untouched
src/msha/auth/routes/auth-login-provider-custom.spec.ts	5 — emulator fallback when clientId unset / secret unset / both unset; real-auth path when both set; still-400 when config field is missing

Manual repro of #947 locally:

1. staticwebapp.config.json with openIdIssuer = https://login.microsoftonline.com/<tenant>/oauth2/v2.0 and env vars unset.
2. Before: GET /.auth/login/aad → 400 AAD_CLIENT_ID not found in env.
3. After: GET /.auth/login/aad → local auth emulator HTML (same as pre-2.0.3).

References

• Fixes AzureActiveDirectory (AAD) custom auth provider is broken in 2.0.3 #947, AAD Custom Authentication emulation settings are not compatible with the CLI #928, Azure Static Web Apps AAD Auth emulation doesn't work from CLI 2.0.2 to current version 2.0.4. Works fine until 2.0.1 #941
• Regression introduced by chore: Reapply Pull Requests Prior to Release v2.0.2 #905 (2.0.3)
• Intended to land after the 2.0.9 release cut in chore: bump version to 2.0.9 #991 so the fix can be shipped as 2.0.10 without further delaying 2.0.9.