fix: normalize external URL with trailing slash per RFC 3986 (#125)

hrntknr · web-flow · commit e377aa9ed27b · 2026-03-17T02:34:05.000+09:00
Ensure the resource URI in /.well-known/oauth-protected-resource
includes a trailing slash, matching the canonical form expected by
clients like claude.ai (RFC 3986 Section 6.2.3).
diff --git a/pkg/mcp-proxy/main.go b/pkg/mcp-proxy/main.go
@@ -84,9 +84,11 @@ func Run(
 	if err != nil {
 		return fmt.Errorf("failed to parse external URL: %w", err)
 	}
-	if parsedExternalURL.Path != "" {
+	if parsedExternalURL.Path != "" && parsedExternalURL.Path != "/" {
 		return fmt.Errorf("external URL must not have a path, got: %s", parsedExternalURL.Path)
 	}
+	parsedExternalURL.Path = "/"
+	externalURL = parsedExternalURL.String()
 
 	if (tlsCertFile == "") != (tlsKeyFile == "") {
 		return fmt.Errorf("both TLS certificate and key files must be provided together")
diff --git a/pkg/mcp-proxy/main_test.go b/pkg/mcp-proxy/main_test.go
@@ -10,6 +10,56 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestRun_NormalizesExternalURLTrailingSlash(t *testing.T) {
+	originalNewProxyRouter := newProxyRouter
+	t.Cleanup(func() {
+		newProxyRouter = originalNewProxyRouter
+	})
+
+	cases := []struct {
+		name        string
+		input       string
+		wantURL     string
+		wantErr     bool
+		errContains string
+	}{
+		{name: "no trailing slash", input: "https://example.com", wantURL: "https://example.com/"},
+		{name: "with trailing slash", input: "https://example.com/", wantURL: "https://example.com/"},
+		{name: "with path", input: "https://example.com/foo", wantErr: true, errContains: "must not have a path"},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			var receivedURL string
+			newProxyRouter = func(externalURL string, proxyHandler http.Handler, publicKey *rsa.PublicKey, proxyHeaders http.Header, httpStreamingOnly bool) (*proxy.ProxyRouter, error) {
+				receivedURL = externalURL
+				return nil, errors.New("stop early")
+			}
+
+			err := Run(
+				":0", ":0", false, "", "", false, "", "",
+				t.TempDir(), "local", "",
+				tt.input,
+				"", "", nil, nil,
+				"", "", nil, nil,
+				"", "", "", nil, "", "", nil, nil, nil, nil,
+				false, "", "", nil, nil, "",
+				[]string{"http://example.com"}, false,
+			)
+
+			if tt.wantErr {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tt.errContains)
+				return
+			}
+
+			require.Error(t, err)
+			require.Contains(t, err.Error(), "stop early")
+			require.Equal(t, tt.wantURL, receivedURL)
+		})
+	}
+}
+
 func TestRun_PassesHTTPStreamingOnlyToProxyRouter(t *testing.T) {
 	originalNewProxyRouter := newProxyRouter
 	t.Cleanup(func() {
diff --git a/pkg/proxy/proxy_test.go b/pkg/proxy/proxy_test.go
@@ -3,6 +3,7 @@ package proxy
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -103,6 +104,32 @@ func TestProxyRouter_HandleProxy_ValidToken(t *testing.T) {
 	assert.Equal(t, http.StatusUnauthorized, w.Code)
 }
 
+func TestProxyRouter_ProtectedResourceTrailingSlash(t *testing.T) {
+	_, publicKey, err := generateRSAKeyPair()
+	require.NoError(t, err)
+
+	proxyRouter, err := NewProxyRouter("https://example.com/", http.NotFoundHandler(), publicKey, http.Header{}, false)
+	require.NoError(t, err)
+
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	proxyRouter.SetupRoutes(router)
+
+	req, err := http.NewRequest("GET", OauthProtectedResourceEndpoint, nil)
+	require.NoError(t, err)
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	var resp protectedResourceResponse
+	err = json.NewDecoder(w.Body).Decode(&resp)
+	require.NoError(t, err)
+	assert.Equal(t, "https://example.com/", resp.Resource)
+	assert.Equal(t, []string{"https://example.com/"}, resp.AuthorizationServers)
+}
+
 func TestProxyRouter_HTTPStreamingOnlyRejectsSSE(t *testing.T) {
 	privateKey, publicKey, err := generateRSAKeyPair()
 	require.NoError(t, err)

Original file line number	Diff line number	Diff line change
`@@ -84,9 +84,11 @@ func Run(`
`84`	`84`	`if err != nil {`
`85`	`85`	`return fmt.Errorf("failed to parse external URL: %w", err)`
`86`	`86`	`}`
`87`		`- if parsedExternalURL.Path != "" {`
	`87`	`+ if parsedExternalURL.Path != "" && parsedExternalURL.Path != "/" {`
`88`	`88`	`return fmt.Errorf("external URL must not have a path, got: %s", parsedExternalURL.Path)`
`89`	`89`	`}`
	`90`	`+ parsedExternalURL.Path = "/"`
	`91`	`+ externalURL = parsedExternalURL.String()`
`90`	`92`
`91`	`93`	`if (tlsCertFile == "") != (tlsKeyFile == "") {`
`92`	`94`	`return fmt.Errorf("both TLS certificate and key files must be provided together")`