Support multi-tenant PRM (PRM URLs not at the domain root) (#130)

* Support multi-tenant PRM (PRM URLs not at the domain root)

* Fix tests for multi-tenant PRM URL format

- Fix double-slash bug in PRM URL construction by stripping trailing slashes
- Update mockResourceServer to use RFC 9728 compliant PRM URL format
- Update test assertions to match new PRM URL path structure
- Fix lint error (prefer-const)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: badjer

package-lock.json

@@ -36,7 +36,7 @@
     "@atxp/common": "0.10.2",
     "@modelcontextprotocol/sdk": "^1.15.0",
     "bignumber.js": "^9.3.0",
-    "oauth4webapi": "^3.5.0"
+    "oauth4webapi": "^3.8.3"
   },
   "peerDependencies": {
     "expo-crypto": ">=14.0.0",

packages/atxp-client/package.json

@@ -2,9 +2,11 @@ import { FetchMock } from 'fetch-mock';
 import { DEFAULT_AUTHORIZATION_SERVER } from '@atxp/common';
 
 export function mockResourceServer(mock: FetchMock, baseUrl: string = 'https://example.com', resourcePath: string = '/mcp', authServerUrl: string = DEFAULT_AUTHORIZATION_SERVER) {
+  // RFC 9728: PRM URL is at {resourceUrl}/.well-known/oauth-protected-resource
+  const prmUrl = `${baseUrl}${resourcePath}/.well-known/oauth-protected-resource`;
   mock.route({
-    name: `${baseUrl}/.well-known/oauth-protected-resource${resourcePath}`,
-    url: `${baseUrl}/.well-known/oauth-protected-resource${resourcePath}`,
+    name: prmUrl,
+    url: prmUrl,
     response: {
       body: {
         resource: baseUrl + resourcePath,

packages/atxp-client/src/clientTestHelpers.ts

@@ -249,8 +249,9 @@ describe('oauthClient', () => {
       expect(res.issuer).toBe(DEFAULT_AUTHORIZATION_SERVER);
       expect(res.authorization_endpoint).toBe(`${DEFAULT_AUTHORIZATION_SERVER}/authorize`);
       expect(res.registration_endpoint).toBe(`${DEFAULT_AUTHORIZATION_SERVER}/register`);
-      
-      const prmCall = f.callHistory.lastCall('https://example.com/.well-known/oauth-protected-resource/mcp');
+
+      // RFC 9728: PRM URL is at {resourceUrl}/.well-known/oauth-protected-resource
+      const prmCall = f.callHistory.lastCall('https://example.com/mcp/.well-known/oauth-protected-resource');
       expect(prmCall).toBeDefined();
     });
 
@@ -261,19 +262,22 @@ describe('oauthClient', () => {
 
       const client = oauthClient(f.fetchHandler);
       await client.getAuthorizationServer('https://example.com/mcp?test=1');
-      
-      const prmCall = f.callHistory.lastCall('https://example.com/.well-known/oauth-protected-resource/mcp?test=1');
+
+      // RFC 9728: PRM URL is at {resourceUrl}/.well-known/oauth-protected-resource
+      const prmCall = f.callHistory.lastCall('https://example.com/mcp?test=1/.well-known/oauth-protected-resource');
       expect(prmCall).toBeDefined();
     });
 
     it('should try to request AS metadata from resource server if PRM doc cannot be found (non-strict mode)', async () => {
       // This is in violation of the MCP spec (the PRM endpoint is supposed to exist), but some older
       // servers serve OAuth metadata from the MCP server instead of PRM data, so we fallback to support them
       const f = fetchMock.createInstance().getOnce('https://example.com/mcp', 401);
+      // RFC 9728: PRM URL is at {resourceUrl}/.well-known/oauth-protected-resource
+      const prmUrl = 'https://example.com/mcp/.well-known/oauth-protected-resource';
       mockResourceServer(f, 'https://example.com', '/mcp')
         // Note: fetch-mock also supplies .removeRoute, but .modifyRoute has the nice property of
         // throwing if the route isn't already mocked, so we know we haven't screwed up the test
-        .modifyRoute('https://example.com/.well-known/oauth-protected-resource/mcp', {response: {status: 404}})
+        .modifyRoute(prmUrl, {response: {status: 404}})
         // Emulate the resource server serving AS metadata
         .get('https://example.com/.well-known/oauth-authorization-server', {
           issuer: DEFAULT_AUTHORIZATION_SERVER,
@@ -283,9 +287,9 @@ describe('oauthClient', () => {
       mockAuthorizationServer(f, DEFAULT_AUTHORIZATION_SERVER);
 
       const client = oauthClient(f.fetchHandler, new MemoryOAuthDb(), true, false); // strict = false
-      
+
       await client.getAuthorizationServer('https://example.com/mcp');
-      const prmCall = f.callHistory.lastCall('https://example.com/.well-known/oauth-protected-resource/mcp');
+      const prmCall = f.callHistory.lastCall(prmUrl);
       expect(prmCall).toBeDefined();
       expect(prmCall?.response?.status).toBe(404);
       // Yes, example.com - again, this test is checking an old pattern where the resource server is
@@ -296,10 +300,12 @@ describe('oauthClient', () => {
 
     it('should throw if there is no way to find AS endpoints from resource server', async () => {
       const f = fetchMock.createInstance().get('https://example.com/mcp', 401);
+      // RFC 9728: PRM URL is at {resourceUrl}/.well-known/oauth-protected-resource
+      const prmUrl = 'https://example.com/mcp/.well-known/oauth-protected-resource';
       mockResourceServer(f, 'https://example.com', '/mcp')
         // Note: fetch-mock also supplies .removeRoute, but .modifyRoute has the nice property of
         // throwing if the route isn't already mocked, so we know we haven't screwed up the test
-        .modifyRoute('https://example.com/.well-known/oauth-protected-resource/mcp', {response: {status: 404}})
+        .modifyRoute(prmUrl, {response: {status: 404}})
 
       const client = oauthClient(f.fetchHandler);
       await expect(client.getAuthorizationServer('https://example.com/mcp')).rejects.toThrow('unexpected HTTP status code');

packages/atxp-client/src/oauth.test.ts

@@ -47,7 +47,7 @@
   "dependencies": {
     "bignumber.js": "^9.3.0",
     "jose": "^6.0.11",
-    "oauth4webapi": "^3.5.0",
+    "oauth4webapi": "^3.8.3",
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1"
   },