fix: preserve "//" in redirect URLs with empty authority

vatsalpatel · vatsalpatel · commit 38dc897f5466 · 2026-04-17T21:49:03.000+05:30
Go's net/url normalizes "scheme://" with empty authority to "scheme:" on String(), breaking iOS/Android custom-scheme deep links like "myapp://" emitted as "myapp:?code=...". Adds utilities.PreserveEmptyAuthority and applies it in all redirect URL builders in internal/api/verify.go and oauthserver/authorize.go. Closes #2423
diff --git a/internal/api/oauthserver/authorize.go b/internal/api/oauthserver/authorize.go
@@ -606,7 +606,7 @@ func (s *Server) buildSuccessRedirectURL(authorization *models.OAuthServerAuthor
 		q.Set("state", *authorization.State)
 	}
 	u.RawQuery = q.Encode()
-	return u.String()
+	return utilities.PreserveEmptyAuthority(authorization.RedirectURI, u, u.String())
 }
 
 // buildErrorRedirectURL builds an error redirect URL with the given parameters
@@ -619,7 +619,7 @@ func (s *Server) buildErrorRedirectURL(redirectURI, errorCode, errorDescription,
 		q.Set("state", state)
 	}
 	u.RawQuery = q.Encode()
-	return u.String()
+	return utilities.PreserveEmptyAuthority(redirectURI, u, u.String())
 }
 
 // buildAuthorizationURL safely joins a base URL with a path, handling slashes correctly
diff --git a/internal/api/verify.go b/internal/api/verify.go
@@ -510,7 +510,7 @@ func (a *API) prepErrorRedirectURL(err *HTTPError, r *http.Request, rurl string,
 	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
 	hq.Set("sb", "")
 	u.Fragment = hq.Encode()
-	return u.String(), nil
+	return utilities.PreserveEmptyAuthority(rurl, u, u.String()), nil
 }
 
 func (a *API) prepRedirectURL(message string, rurl string, flowType models.FlowType) (string, error) {
@@ -528,7 +528,7 @@ func (a *API) prepRedirectURL(message string, rurl string, flowType models.FlowT
 	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
 	hq.Set("sb", "")
 	u.Fragment = hq.Encode()
-	return u.String(), nil
+	return utilities.PreserveEmptyAuthority(rurl, u, u.String()), nil
 }
 
 func (a *API) prepPKCERedirectURL(rurl, code string) (string, error) {
@@ -539,7 +539,7 @@ func (a *API) prepPKCERedirectURL(rurl, code string) (string, error) {
 	q := u.Query()
 	q.Set("code", code)
 	u.RawQuery = q.Encode()
-	return u.String(), nil
+	return utilities.PreserveEmptyAuthority(rurl, u, u.String()), nil
 }
 
 func (a *API) emailChangeVerify(r *http.Request, conn *storage.Connection, params *VerifyParams, user *models.User) (*models.User, error) {
diff --git a/internal/utilities/url.go b/internal/utilities/url.go
@@ -0,0 +1,20 @@
+package utilities
+
+import (
+	"net/url"
+	"strings"
+)
+
+// PreserveEmptyAuthority restores the `//` in URLs that use "scheme://" with
+// an empty authority (e.g. custom-scheme deep links like "myapp://"). Go's
+// net/url package normalizes these to "scheme:" on String(), which breaks
+// iOS/Android deep-link clients that register for the "scheme://" form.
+//
+// Call with the original input string, the parsed URL, and the already-
+// serialized output of u.String().
+func PreserveEmptyAuthority(rurl string, u *url.URL, formatted string) string {
+	if u.Scheme != "" && u.Host == "" && u.Path == "" && strings.HasPrefix(rurl, u.Scheme+"://") {
+		return strings.Replace(formatted, u.Scheme+":", u.Scheme+"://", 1)
+	}
+	return formatted
+}
diff --git a/internal/utilities/url_test.go b/internal/utilities/url_test.go
@@ -0,0 +1,39 @@
+package utilities
+
+import (
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPreserveEmptyAuthority(t *testing.T) {
+	cases := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{"custom scheme empty authority", "myapp://", "myapp://?code=ABC"},
+		{"custom scheme with host", "myapp://host", "myapp://host?code=ABC"},
+		{"scheme only no slashes", "myapp:", "myapp:?code=ABC"},
+		{"https", "https://example.com", "https://example.com?code=ABC"},
+		{"reverse dns empty authority", "com.example.app://", "com.example.app://?code=ABC"},
+		{"reverse dns with path", "com.example.app://callback", "com.example.app://callback?code=ABC"},
+		{"triple slash", "myapp:///callback", "myapp:///callback?code=ABC"},
+		{"host port path", "myapp://host:1234/callback", "myapp://host:1234/callback?code=ABC"},
+		{"existing query", "myapp://?x=1", "myapp://?code=ABC&x=1"},
+		{"fragment", "myapp://#frag", "myapp://?code=ABC#frag"},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			u, err := url.Parse(c.in)
+			require.NoError(t, err)
+			q := u.Query()
+			q.Set("code", "ABC")
+			u.RawQuery = q.Encode()
+			got := PreserveEmptyAuthority(c.in, u, u.String())
+			assert.Equal(t, c.want, got)
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -606,7 +606,7 @@ func (s Server) buildSuccessRedirectURL(authorization models.OAuthServerAuthor`
`606`	`606`	`q.Set("state", *authorization.State)`
`607`	`607`	`}`
`608`	`608`	`u.RawQuery = q.Encode()`
`609`		`- return u.String()`
	`609`	`+ return utilities.PreserveEmptyAuthority(authorization.RedirectURI, u, u.String())`
`610`	`610`	`}`
`611`	`611`
`612`	`612`	`// buildErrorRedirectURL builds an error redirect URL with the given parameters`
`@@ -619,7 +619,7 @@ func (s *Server) buildErrorRedirectURL(redirectURI, errorCode, errorDescription,`
`619`	`619`	`q.Set("state", state)`
`620`	`620`	`}`
`621`	`621`	`u.RawQuery = q.Encode()`
`622`		`- return u.String()`
	`622`	`+ return utilities.PreserveEmptyAuthority(redirectURI, u, u.String())`
`623`	`623`	`}`
`624`	`624`
`625`	`625`	`// buildAuthorizationURL safely joins a base URL with a path, handling slashes correctly`