fix: rename routePrefix to issuerPath and add issuer-mismatch scenario #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

pcarleton wants to merge 1 commit into main from paulc/fix-issuer-path-derivation

Open

fix: rename routePrefix to issuerPath and add issuer-mismatch scenario #203

fix: rename routePrefix to issuerPath and add issuer-mismatch scenario

Claude / Claude Code Review completed Apr 21, 2026 in 5m 19s

Code review found 1 important issue

Found 1 candidates, confirmed 1. See review comments for details.

Details

Severity	Count
🔴 Important	1
🟡 Nit	0
🟣 Pre-existing	0

Severity	File:Line	Issue
🔴 Important	`src/scenarios/client/auth/issuer-mismatch.ts:79-96`	issuer-mismatch test can false-pass if client never fetches AS metadata

Annotations

Check failure on line 96 in src/scenarios/client/auth/issuer-mismatch.ts

claude / Claude Code Review

issuer-mismatch test can false-pass if client never fetches AS metadata

This check can false-pass: `correctlyRejected` is derived solely from `\!authorizationRequestMade`, so a client that errors out *before* ever fetching AS metadata (e.g. fails PRM parsing or doesn't support OAuth at all) will be reported as having 'correctly rejected the mismatched issuer' — even though it never saw the issuer. Consider gating SUCCESS on `this.checks.some(c => c.id === 'authorization-server-metadata')` so the client must have actually fetched the metadata containing the bad issue

View more details on Claude