fix(auth): absolutize relative Keycloak verification URIs in device flow

netcup's Keycloak returns relative verification_uri(_complete) (e.g.
/realms/scp/device), which printed an unusable path. Normalize to absolute
URLs against BASE_HOST and synthesize the complete URL when missing; clearer
login output. Adds a unit test for the normalizer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: ArthurC-Nina

netcup_api/auth.py

@@ -33,6 +33,15 @@ class DeviceCode:
     interval: int
 
 
+def _absolutize(uri: str | None, fallback: str) -> str:
+    """Turn a possibly-relative verification URI into an absolute URL."""
+    if not uri:
+        return fallback
+    if uri.startswith("http://") or uri.startswith("https://"):
+        return uri
+    return config.BASE_HOST.rstrip("/") + "/" + uri.lstrip("/")
+
+
 def _write_secure(path, data: dict[str, Any]) -> None:
     config.ensure_config_dir()
     tmp = path.with_suffix(path.suffix + ".tmp")
@@ -88,11 +97,19 @@ def start_device_flow(self) -> DeviceCode:
         if r.status_code != 200:
             raise AuthError(f"device auth failed: HTTP {r.status_code}: {r.text}")
         d = r.json()
+        user_code = d["user_code"]
+        # Keycloak may return *relative* verification URIs (e.g. "/realms/scp/device").
+        # Normalize them to absolute URLs so they are usable in a browser.
+        verify = _absolutize(d.get("verification_uri"), config.DEVICE_VERIFICATION_URL)
+        verify_complete = _absolutize(d.get("verification_uri_complete"), "")
+        if not verify_complete:
+            sep = "&" if "?" in verify else "?"
+            verify_complete = f"{verify}{sep}user_code={user_code}"
         return DeviceCode(
             device_code=d["device_code"],
-            user_code=d["user_code"],
-            verification_uri=d.get("verification_uri", config.DEVICE_VERIFICATION_URL),
-            verification_uri_complete=d.get("verification_uri_complete", ""),
+            user_code=user_code,
+            verification_uri=verify,
+            verification_uri_complete=verify_complete,
             expires_in=int(d.get("expires_in", 600)),
             interval=int(d.get("interval", 5)),
         )
@@ -129,12 +146,16 @@ def poll_for_token(
 
     def login(self, open_browser: bool = True, printer: Callable[[str], None] = print) -> dict:
         dc = self.start_device_flow()
-        url = dc.verification_uri_complete or dc.verification_uri
-        printer(f"Open this URL in your browser and approve access:\n\n    {url}\n")
-        printer(f"User code: {dc.user_code}\n")
+        printer(
+            "Open this URL in your browser and approve access:\n\n"
+            f"    {dc.verification_uri_complete}\n\n"
+            "If the code is not pre-filled, go to:\n\n"
+            f"    {dc.verification_uri}\n\n"
+            f"and enter this code: {dc.user_code}\n"
+        )
         if open_browser:
             try:
-                webbrowser.open(url)
+                webbrowser.open(dc.verification_uri_complete)
             except Exception:  # noqa: BLE001 - headless is fine
                 pass
         printer("Waiting for authorization...")

tests/test_spec.py

@@ -1,8 +1,17 @@
 """Offline tests for the OpenAPI-driven registry (no network, no auth)."""
 
+from netcup_api.auth import _absolutize
 from netcup_api.spec import _make_operation_id, load
 
 
+def test_absolutize_verification_uri():
+    base = "https://www.servercontrolpanel.de"
+    assert _absolutize("/realms/scp/device", "fb") == f"{base}/realms/scp/device"
+    assert _absolutize("https://h/p", "fb") == "https://h/p"
+    assert _absolutize("", "fallback") == "fallback"
+    assert _absolutize(None, "fallback") == "fallback"
+
+
 def test_operation_id_generation():
     assert _make_operation_id("get", "/api/v1/servers") == "get-servers"
     assert _make_operation_id("get", "/api/v1/servers/{serverId}") == "get-servers-by-serverId"