Fix OAuth implementation issues from code review

- Fix resource URI validation: resource field now points to actual resource server URL
- Clean up WWW-Authenticate header: remove OAuth-specific parameters, use Location header instead
- Update tests to match new OAuth implementation
- Ensure MCP clients can successfully connect to the resource server

Author: kentcdodds

exercises/99.finished/99.solution/src/client.ts

@@ -82,10 +82,13 @@ export async function getOAuthAuthorizationServerConfig() {
 	return result.json()
 }
 
-export async function getOAuthProtectedResourceConfig() {
+export async function getOAuthProtectedResourceConfig(request: Request) {
 	// This server is the protected resource server, so we return our own configuration
+	const resourceServerUrl = new URL(request.url)
+	resourceServerUrl.pathname = '/mcp' // Point to the MCP endpoint
+
 	return {
-		resource: `${EPIC_ME_SERVER_URL}/mcp`,
+		resource: resourceServerUrl.toString(),
 		scopes: ['read', 'write'],
 		resource_owner: 'epicme',
 		resource_server: {

exercises/99.finished/99.solution/src/index.ts

@@ -86,7 +86,7 @@ export default {
 		}
 
 		if (url.pathname === '/.well-known/oauth-protected-resource/mcp') {
-			const config = await getOAuthProtectedResourceConfig()
+			const config = await getOAuthProtectedResourceConfig(request)
 			return Response.json(config)
 		}
 

exercises/99.finished/99.solution/test/index.test.ts

@@ -134,7 +134,7 @@ test('OAuth integration flow works end-to-end', async () => {
 	expect(
 		protectedResourceConfig.resource,
 		'🚨 Resource identifier should be present',
-	).toBe(`${EPIC_ME_SERVER_URL}/mcp`)
+	).toBe(`${mcpServerUrl}/mcp`)
 	expect(
 		protectedResourceConfig.scopes,
 		'🚨 Scopes should be present',