refactor(auth): use URL constructor for endpoint generation in OAuth handlers

Author: nickytonline

src/auth/discovery.ts

@@ -17,8 +17,8 @@ export function createAuthorizationServerMetadataHandler() {
 
       const metadata = {
         issuer: baseUrl,
-        authorization_endpoint: `${baseUrl}/oauth/authorize`,
-        token_endpoint: `${baseUrl}/oauth/token`,
+        authorization_endpoint: new URL("/oauth/authorize", baseUrl).toString(),
+        token_endpoint: new URL("/oauth/token", baseUrl).toString(),
         response_types_supported: ["code"],
         grant_types_supported: ["authorization_code"],
         code_challenge_methods_supported: ["S256"],
@@ -60,7 +60,7 @@ export function createProtectedResourceMetadataHandler() {
         authorization_servers: [baseUrl],
         scopes_supported: ["read", "write", "mcp"],
         bearer_methods_supported: ["header"],
-        resource_documentation: `${baseUrl}/docs`
+        resource_documentation: new URL("/docs", baseUrl).toString()
       };
 
       logger.info("OAuth protected resource metadata requested", { 

src/auth/routes.ts

@@ -36,6 +36,11 @@ const pendingRequests = new Map<string, PendingAuthRequest>();
 export function createAuthorizeHandler() {
   return async (req: Request, res: Response) => {
     try {
+      logger.debug("Authorization handler called", { 
+        query: req.query,
+        url: req.url 
+      });
+      
       const config = getConfig();
       const { 
         response_type, 
@@ -94,28 +99,25 @@ export function createAuthorizeHandler() {
       });
 
       // Build authorization URL for external provider with our own PKCE
-      const authParams = new URLSearchParams({
-        response_type: "code",
-        client_id: config.OAUTH_CLIENT_ID!,
-        redirect_uri: config.OAUTH_REDIRECT_URI!,
-        scope: scope as string || "openid profile email",
-        state: requestId, // Use our request ID as state
-        code_challenge: externalCodeChallenge, // Use our generated challenge
-        code_challenge_method: "S256"
-      });
-
-      const authUrl = `${config.OAUTH_ISSUER}/oauth/authorize?${authParams}`;
+      const authUrl = new URL("/oauth/authorize", config.OAUTH_ISSUER!);
+      authUrl.searchParams.set("response_type", "code");
+      authUrl.searchParams.set("client_id", config.OAUTH_CLIENT_ID!);
+      authUrl.searchParams.set("redirect_uri", config.OAUTH_REDIRECT_URI!);
+      authUrl.searchParams.set("scope", scope as string || "openid profile email");
+      authUrl.searchParams.set("state", requestId);
+      authUrl.searchParams.set("code_challenge", externalCodeChallenge);
+      authUrl.searchParams.set("code_challenge_method", "S256");
 
       logger.info("Proxying OAuth authorization request", { 
         client_id,
         redirect_uri,
         scope,
         requestId,
-        external_auth_url: `${config.OAUTH_ISSUER}/oauth/authorize`
+        external_auth_url: new URL("/oauth/authorize", config.OAUTH_ISSUER!).toString()
       });
 
       // Redirect to external OAuth provider
-      res.redirect(authUrl);
+      res.redirect(authUrl.toString());
 
     } catch (error) {
       logger.error("OAuth authorization proxy error", { 
@@ -279,7 +281,7 @@ export function createCallbackHandler(oauthProvider: OAuthProvider) {
  */
 async function exchangeCodeForTokens(code: string, config: any, codeVerifier: string): Promise<TokenExchangeResponse | null> {
   try {
-    const tokenEndpoint = `${config.OAUTH_ISSUER}/oauth/token`;
+    const tokenEndpoint = new URL("/oauth/token", config.OAUTH_ISSUER!);
 
     const tokenParams = new URLSearchParams({
       grant_type: "authorization_code",
@@ -291,11 +293,11 @@ async function exchangeCodeForTokens(code: string, config: any, codeVerifier: st
     });
 
     logger.info("Exchanging authorization code with external provider", {
-      tokenEndpoint,
+      tokenEndpoint: tokenEndpoint.toString(),
       clientId: config.OAUTH_CLIENT_ID
     });
 
-    const response = await fetch(tokenEndpoint, {
+    const response = await fetch(tokenEndpoint.toString(), {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
@@ -310,7 +312,7 @@ async function exchangeCodeForTokens(code: string, config: any, codeVerifier: st
         status: response.status,
         statusText: response.statusText,
         error: errorText,
-        tokenEndpoint,
+        tokenEndpoint: tokenEndpoint.toString(),
         clientId: config.OAUTH_CLIENT_ID
       });
       return null;

src/auth/token-validator.ts

@@ -40,7 +40,7 @@ export class OAuthTokenValidator {
   private async validateJWT(token: string): Promise<TokenValidationResult> {
     try {
       // Get JWKS from the issuer
-      const JWKS = jose.createRemoteJWKSet(new URL(`${this.#issuer}/.well-known/jwks.json`));
+      const JWKS = jose.createRemoteJWKSet(new URL("/.well-known/jwks.json", this.#issuer));
 
       // Verify and decode the JWT
       const verifyOptions: any = {
@@ -78,9 +78,9 @@ export class OAuthTokenValidator {
   }
 
   private async introspectToken(token: string): Promise<TokenValidationResult> {
-    const introspectionUrl = `${this.#issuer}/oauth/introspect`;
+    const introspectionUrl = new URL("/oauth/introspect", this.#issuer);
 
-    const response = await fetch(introspectionUrl, {
+    const response = await fetch(introspectionUrl.toString(), {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",

src/config.ts

@@ -40,7 +40,8 @@ export function getConfig(): Config {
         // Provide default for OAUTH_REDIRECT_URI if not set
         if (!parsed.OAUTH_REDIRECT_URI) {
           const baseUrl = parsed.BASE_URL || "http://localhost:3000";
-          parsed.OAUTH_REDIRECT_URI = `${baseUrl}/callback`;
+          const callbackUrl = new URL("/callback", baseUrl);
+          parsed.OAUTH_REDIRECT_URI = callbackUrl.toString();
           console.log(`⚠️  OAUTH_REDIRECT_URI not set, using default: ${parsed.OAUTH_REDIRECT_URI}`);
         }
 

src/index.ts

@@ -113,10 +113,10 @@ const mcpHandler = async (req: express.Request, res: express.Response) => {
         capabilities,
         ...(config.AUTH_MODE !== "none" && {
           oauth: {
-            authorization_server: `${config.BASE_URL || "http://localhost:3000"}/.well-known/oauth-authorization-server`,
-            protected_resource: `${config.BASE_URL || "http://localhost:3000"}/.well-known/oauth-protected-resource`,
-            authorization_endpoint: `${config.BASE_URL || "http://localhost:3000"}/oauth/authorize`,
-            token_endpoint: `${config.BASE_URL || "http://localhost:3000"}/oauth/token`
+            authorization_server: new URL("/.well-known/oauth-authorization-server", config.BASE_URL || "http://localhost:3000").toString(),
+            protected_resource: new URL("/.well-known/oauth-protected-resource", config.BASE_URL || "http://localhost:3000").toString(),
+            authorization_endpoint: new URL("/oauth/authorize", config.BASE_URL || "http://localhost:3000").toString(),
+            token_endpoint: new URL("/oauth/token", config.BASE_URL || "http://localhost:3000").toString()
           }
         })
       });
@@ -133,11 +133,12 @@ const config = getConfig();
 let oauthProvider: OAuthProvider | null = null;
 
 if (config.AUTH_MODE === "full") {
+  const baseUrl = config.BASE_URL || "http://localhost:3000";
   oauthProvider = new OAuthProvider({
     clientId: "mcp-client",
     clientSecret: "mcp-secret",
-    authorizationEndpoint: `${config.BASE_URL || "http://localhost:3000"}/oauth/authorize`,
-    tokenEndpoint: `${config.BASE_URL || "http://localhost:3000"}/oauth/token`,
+    authorizationEndpoint: new URL("/oauth/authorize", baseUrl).toString(),
+    tokenEndpoint: new URL("/oauth/token", baseUrl).toString(),
     scope: config.OAUTH_SCOPE,
     redirectUri: config.OAUTH_REDIRECT_URI!
   });