[CDTOOL-1090] fix(sso): Ensure that OPTIONS requests sent by browsers do not break SSO authentication (#1496)

Browsers may send 'preflight' OPTIONS requests before sending the GET
request which contains the authentication result; the internal webserver
will now accept this request, respond to it appropriately, and continue
waiting for the GET request.

The webserver will also explicitly reject any requests that are not
directed at the proper path, or are any method other than GET or
OPTIONS.

 All Submissions:

* [X] Have you followed the guidelines in our Contributing document?
* [X] Have you checked to ensure there aren't other open [Pull
Requests](https://github.com/fastly/cli/pulls) for the same
update/change?

<!-- You can erase any parts of this template not applicable to your
Pull Request. -->

### New Feature Submissions:

* [ ] Does your submission pass tests?

### Changes to Core Features:

* [ ] Have you added an explanation of what your changes do and why
you'd like us to include them?
* [ ] Have you written new tests for your core changes, as applicable?
* [ ] Have you successfully run tests with your changes locally?

### User Impact

* [ ] What is the user impact of this change?

### Are there any considerations that need to be addressed for release?

<!-- Any breaking changes, etc -->

Author: kpfleming

CHANGELOG.md

@@ -7,14 +7,15 @@
 ### Enhancements:
 
 ### Bug fixes:
+- fix(sso): Ensure that OPTIONS requests sent by browsers do not break SSO authentication. ([#1496](https://github.com/fastly/cli/pull/1496))
 
 ### Dependencies:
 - build(deps): `github.com/fastly/go-fastly/v10` from 10.3.0 to 10.4.0 ([#1499](https://github.com/fastly/cli/pull/1499))
 
 ## [v11.3.0](https://github.com/fastly/cli/releases/tag/v11.3.0) (2025-06-11)
 
 ### Enhancements:
-- feat(config-store): Allow for dynamic limits on Config Store entry lengths [#1485](https://github.com/fastly/cli/pull/1485)
+- feat(config-store): Allow for dynamic limits on Config Store entry lengths ([#1485](https://github.com/fastly/cli/pull/1485))
 - feat(backend): Add support for 'prefer IPv6' attribute. ([#1487](https://github.com/fastly/cli/pull/1487))
 - feat(tools/domain): add `suggest` and `status` domain tools endpoints ([#1482](https://github.com/fastly/cli/pull/1482))
 - feat(logging): Add support for 'processing region' attribute. ([#1491](https://github.com/fastly/cli/pull/1491))

pkg/auth/auth.go

@@ -28,8 +28,11 @@ const Remediation = "Please re-run the command. If the problem persists, please
 // ClientID is the auth provider's Client ID.
 const ClientID = "fastly-cli"
 
-// RedirectURL is the endpoint the auth provider will pass an authorization code to.
-const RedirectURL = "http://localhost:8080/callback"
+// redirectPath is the path in the internal webserver which will receive the authorization code.
+const redirectPath = "/callback"
+
+// redirectURL is the endpoint the auth provider will pass an authorization code to.
+const redirectURL = "http://localhost:8080" + redirectPath
 
 // OIDCMetadata is OpenID Connect's metadata discovery mechanism.
 // https://swagger.io/docs/specification/authentication/openid-connect-discovery/
@@ -110,7 +113,7 @@ func (s Server) AuthURL() (string, error) {
 	params.Add("client_id", ClientID)
 	params.Add("code_challenge", challenge)
 	params.Add("code_challenge_method", "S256")
-	params.Add("redirect_uri", RedirectURL)
+	params.Add("redirect_uri", redirectURL)
 	for _, p := range s.Params {
 		params.Add(p.Field, p.Value)
 	}
@@ -135,7 +138,7 @@ func (s Server) GetJWT(authorizationCode string) (JWT, error) {
 		ClientID,
 		s.Verifier.Verifier(),
 		authorizationCode,
-		"http://localhost:8080/callback", // NOTE: not redirected to, just a security check.
+		redirectURL, // NOTE: not redirected to, just a security check.
 	)
 
 	req, err := http.NewRequest(http.MethodPost, s.WellKnownEndpoints.Token, strings.NewReader(payload))
@@ -204,6 +207,23 @@ func (s *Server) Start() error {
 // HandleCallback processes the callback from the authentication service.
 func (s *Server) HandleCallback() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != redirectPath {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
+		switch r.Method {
+		case http.MethodOptions:
+			w.Header().Add("Access-Control-Allow-Origin", "accounts.fastly.com")
+			w.WriteHeader(http.StatusOK)
+			return
+		case http.MethodGet:
+			// handled below
+		default:
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
 		authorizationCode := r.URL.Query().Get("code")
 		if authorizationCode == "" {
 			fmt.Fprint(w, "ERROR: no authorization code returned\n")