fix: Cleanup implementation

Author: vatsalpatel

internal/api/oauthserver/authorize.go

@@ -606,7 +606,7 @@ func (s *Server) buildSuccessRedirectURL(authorization *models.OAuthServerAuthor
 		q.Set("state", *authorization.State)
 	}
 	u.RawQuery = q.Encode()
-	return utilities.PreserveEmptyAuthority(authorization.RedirectURI, u, u.String())
+	return utilities.PreserveEmptyAuthority(authorization.RedirectURI, u)
 }
 
 // buildErrorRedirectURL builds an error redirect URL with the given parameters
@@ -619,7 +619,7 @@ func (s *Server) buildErrorRedirectURL(redirectURI, errorCode, errorDescription,
 		q.Set("state", state)
 	}
 	u.RawQuery = q.Encode()
-	return utilities.PreserveEmptyAuthority(redirectURI, u, u.String())
+	return utilities.PreserveEmptyAuthority(redirectURI, u)
 }
 
 // buildAuthorizationURL safely joins a base URL with a path, handling slashes correctly

internal/api/verify.go

@@ -510,7 +510,7 @@ func (a *API) prepErrorRedirectURL(err *HTTPError, r *http.Request, rurl string,
 	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
 	hq.Set("sb", "")
 	u.Fragment = hq.Encode()
-	return utilities.PreserveEmptyAuthority(rurl, u, u.String()), nil
+	return utilities.PreserveEmptyAuthority(rurl, u), nil
 }
 
 func (a *API) prepRedirectURL(message string, rurl string, flowType models.FlowType) (string, error) {
@@ -528,7 +528,7 @@ func (a *API) prepRedirectURL(message string, rurl string, flowType models.FlowT
 	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
 	hq.Set("sb", "")
 	u.Fragment = hq.Encode()
-	return utilities.PreserveEmptyAuthority(rurl, u, u.String()), nil
+	return utilities.PreserveEmptyAuthority(rurl, u), nil
 }
 
 func (a *API) prepPKCERedirectURL(rurl, code string) (string, error) {
@@ -539,7 +539,7 @@ func (a *API) prepPKCERedirectURL(rurl, code string) (string, error) {
 	q := u.Query()
 	q.Set("code", code)
 	u.RawQuery = q.Encode()
-	return utilities.PreserveEmptyAuthority(rurl, u, u.String()), nil
+	return utilities.PreserveEmptyAuthority(rurl, u), nil
 }
 
 func (a *API) emailChangeVerify(r *http.Request, conn *storage.Connection, params *VerifyParams, user *models.User) (*models.User, error) {

internal/utilities/url.go

@@ -9,10 +9,8 @@ import (
 // an empty authority (e.g. custom-scheme deep links like "myapp://"). Go's
 // net/url package normalizes these to "scheme:" on String(), which breaks
 // iOS/Android deep-link clients that register for the "scheme://" form.
-//
-// Call with the original input string, the parsed URL, and the already-
-// serialized output of u.String().
-func PreserveEmptyAuthority(rurl string, u *url.URL, formatted string) string {
+func PreserveEmptyAuthority(rurl string, u *url.URL) string {
+	formatted := u.String()
 	if u.Scheme != "" && u.Host == "" && u.Path == "" && strings.HasPrefix(rurl, u.Scheme+"://") {
 		return strings.Replace(formatted, u.Scheme+":", u.Scheme+"://", 1)
 	}

internal/utilities/url_test.go

@@ -23,7 +23,12 @@ func TestPreserveEmptyAuthority(t *testing.T) {
 		{"triple slash", "myapp:///callback", "myapp:///callback?code=ABC"},
 		{"host port path", "myapp://host:1234/callback", "myapp://host:1234/callback?code=ABC"},
 		{"existing query", "myapp://?x=1", "myapp://?code=ABC&x=1"},
+		{"existing code param overwrites", "myapp://?code=OLD", "myapp://?code=ABC"},
 		{"fragment", "myapp://#frag", "myapp://?code=ABC#frag"},
+		// net/url lowercases the scheme per RFC 3986 §3.1. iOS URL-scheme
+		// matching is case-sensitive in practice, so mixed-case schemes are
+		// normalized to lowercase by the time they reach the client.
+		{"mixed case scheme", "MyApp://callback", "myapp://callback?code=ABC"},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
@@ -32,7 +37,7 @@ func TestPreserveEmptyAuthority(t *testing.T) {
 			q := u.Query()
 			q.Set("code", "ABC")
 			u.RawQuery = q.Encode()
-			got := PreserveEmptyAuthority(c.in, u, u.String())
+			got := PreserveEmptyAuthority(c.in, u)
 			assert.Equal(t, c.want, got)
 		})
 	}