fix(client): preserve authorization server subpath in fallback URLs

claygeo · claygeo · commit 93a5ca26980b · 2026-03-31T22:26:49.000-04:00
When AS metadata discovery fails and the authorization server has a non-root path (e.g., https://example.com/admin), the fallback URL construction used `new URL('/authorize', serverUrl)` which silently discards the path, producing https://example.com/authorize instead of https://example.com/admin/authorize. Adds buildFallbackUrl() helper that appends the endpoint to the existing pathname. Applied to all three fallback locations: /authorize, /token, and /register. Closes #1716
diff --git a/packages/client/src/client/auth.ts b/packages/client/src/client/auth.ts
@@ -1005,6 +1005,25 @@ async function fetchWithCorsRetry(url: URL, headers?: Record<string, string>, fe
     }
 }
 
+/**
+ * Builds a fallback endpoint URL by appending the endpoint path to the
+ * authorization server's existing pathname, instead of replacing it.
+ *
+ * `new URL('/authorize', 'https://example.com/admin')` produces
+ * `https://example.com/authorize` (path lost). This helper produces
+ * `https://example.com/admin/authorize` (path preserved).
+ */
+function buildFallbackUrl(authorizationServerUrl: string | URL, endpoint: string): URL {
+    const url = typeof authorizationServerUrl === 'string'
+        ? new URL(authorizationServerUrl)
+        : new URL(authorizationServerUrl.href);
+    const basePath = url.pathname.endsWith('/')
+        ? url.pathname.slice(0, -1)
+        : url.pathname;
+    url.pathname = `${basePath}${endpoint}`;
+    return url;
+}
+
 /**
  * Constructs the well-known path for auth-related metadata discovery
  */
@@ -1372,7 +1391,7 @@ export async function startAuthorization(
             throw new Error(`Incompatible auth server: does not support code challenge method ${AUTHORIZATION_CODE_CHALLENGE_METHOD}`);
         }
     } else {
-        authorizationUrl = new URL('/authorize', authorizationServerUrl);
+        authorizationUrl = buildFallbackUrl(authorizationServerUrl, '/authorize');
     }
 
     // Generate PKCE challenge
@@ -1454,7 +1473,7 @@ export async function executeTokenRequest(
         fetchFn?: FetchLike;
     }
 ): Promise<OAuthTokens> {
-    const tokenUrl = metadata?.token_endpoint ? new URL(metadata.token_endpoint) : new URL('/token', authorizationServerUrl);
+    const tokenUrl = metadata?.token_endpoint ? new URL(metadata.token_endpoint) : buildFallbackUrl(authorizationServerUrl, '/token');
 
     const headers = new Headers({
         'Content-Type': 'application/x-www-form-urlencoded',
@@ -1701,7 +1720,7 @@ export async function registerClient(
 
         registrationUrl = new URL(metadata.registration_endpoint);
     } else {
-        registrationUrl = new URL('/register', authorizationServerUrl);
+        registrationUrl = buildFallbackUrl(authorizationServerUrl, '/register');
     }
 
     const response = await (fetchFn ?? fetch)(registrationUrl, {
diff --git a/packages/client/test/client/auth.test.ts b/packages/client/test/client/auth.test.ts
@@ -1621,6 +1621,59 @@ describe('OAuth Authorization', () => {
         );
     });
 
+    describe('fallback URL subpath preservation', () => {
+        const validClientInfo = {
+            client_id: 'client123',
+            client_secret: 'secret123',
+            redirect_uris: ['http://localhost:3000/callback'],
+            client_name: 'Test Client'
+        };
+
+        it('preserves authorization server subpath in fallback authorize URL', async () => {
+            const { authorizationUrl } = await startAuthorization('https://auth.example.com/admin', {
+                metadata: undefined,
+                clientInformation: validClientInfo,
+                redirectUrl: 'http://localhost:3000/callback'
+            });
+
+            expect(authorizationUrl.pathname).toBe('/admin/authorize');
+        });
+
+        it('preserves subpath in fallback token URL', async () => {
+            const mockFetch = vi.fn();
+            mockFetch.mockResolvedValueOnce({
+                ok: true,
+                status: 200,
+                json: async () => ({
+                    access_token: 'access123',
+                    token_type: 'Bearer'
+                })
+            });
+
+            await exchangeAuthorization('https://auth.example.com/admin', {
+                metadata: undefined,
+                clientInformation: validClientInfo,
+                authorizationCode: 'code123',
+                codeVerifier: 'verifier123',
+                redirectUri: 'http://localhost:3000/callback',
+                fetchFn: mockFetch,
+            });
+
+            const fetchUrl = new URL(mockFetch.mock.calls[0][0]);
+            expect(fetchUrl.pathname).toBe('/admin/token');
+        });
+
+        it('still works for root-path authorization servers', async () => {
+            const { authorizationUrl } = await startAuthorization('https://auth.example.com', {
+                metadata: undefined,
+                clientInformation: validClientInfo,
+                redirectUrl: 'http://localhost:3000/callback'
+            });
+
+            expect(authorizationUrl.pathname).toBe('/authorize');
+        });
+    });
+
     describe('exchangeAuthorization', () => {
         const validTokens: OAuthTokens = {
             access_token: 'access123',
