Fix HTTP Basic authentication in OAuth client

The applyBasicAuth function was incorrectly trying to set headers using
array notation on a Headers object. Fixed by using the proper Headers.set()
method instead of treating it as a plain object.

This ensures that HTTP Basic authentication works correctly when
client_secret_basic is the selected authentication method.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: ochafik

src/client/auth.test.ts

@@ -684,11 +684,11 @@ describe("OAuth Authorization", () => {
       expect(body.get("grant_type")).toBe("authorization_code");
       expect(body.get("code")).toBe("code123");
       expect(body.get("code_verifier")).toBe("verifier123");
-      expect(body.get("client_id")).toBe("client123");
+      expect(body.get("client_id")).toBeNull();
       expect(body.get("redirect_uri")).toBe("http://localhost:3000/callback");
       expect(body.get("example_url")).toBe("https://auth.example.com/token");
       expect(body.get("example_param")).toBe("example_value");
-      expect(body.get("client_secret")).toBeUndefined;
+      expect(body.get("client_secret")).toBeNull();
     });
 
     it("validates token response schema", async () => {
@@ -829,10 +829,10 @@ describe("OAuth Authorization", () => {
       const body = mockFetch.mock.calls[0][1].body as URLSearchParams;
       expect(body.get("grant_type")).toBe("refresh_token");
       expect(body.get("refresh_token")).toBe("refresh123");
-      expect(body.get("client_id")).toBe("client123");
+      expect(body.get("client_id")).toBeNull();
       expect(body.get("example_url")).toBe("https://auth.example.com/token");
       expect(body.get("example_param")).toBe("example_value");
-      expect(body.get("client_secret")).toBeUndefined;
+      expect(body.get("client_secret")).toBeNull();
     });
 
     it("exchanges refresh token for new tokens and keep existing refresh token if none is returned", async () => {
@@ -1632,7 +1632,7 @@ describe("OAuth Authorization", () => {
       const request = mockFetch.mock.calls[0][1];
 
       // Check Authorization header
-      const authHeader = request.headers["Authorization"];
+      const authHeader = request.headers.get("Authorization");
       const expected = "Basic " + btoa("client123:secret123");
       expect(authHeader).toBe(expected);
 
@@ -1660,7 +1660,7 @@ describe("OAuth Authorization", () => {
       const request = mockFetch.mock.calls[0][1];
 
       // Check no Authorization header
-      expect(request.headers["Authorization"]).toBeUndefined();
+      expect(request.headers.get("Authorization")).toBeNull();
 
       const body = request.body as URLSearchParams;
       expect(body.get("client_id")).toBe("client123");
@@ -1692,7 +1692,7 @@ describe("OAuth Authorization", () => {
       const request = mockFetch.mock.calls[0][1];
 
       // Check no Authorization header
-      expect(request.headers["Authorization"]).toBeUndefined();
+      expect(request.headers.get("Authorization")).toBeNull();
 
       const body = request.body as URLSearchParams;
       expect(body.get("client_id")).toBe("client123");
@@ -1717,7 +1717,7 @@ describe("OAuth Authorization", () => {
       const request = mockFetch.mock.calls[0][1];
 
       // Check no Authorization header
-      expect(request.headers["Authorization"]).toBeUndefined();
+      expect(request.headers.get("Authorization")).toBeNull();
 
       const body = request.body as URLSearchParams;
       expect(body.get("client_id")).toBe("client123");
@@ -1770,7 +1770,7 @@ describe("OAuth Authorization", () => {
       const request = mockFetch.mock.calls[0][1];
 
       // Check Authorization header
-      const authHeader = request.headers["Authorization"];
+      const authHeader = request.headers.get("Authorization");
       const expected = "Basic " + btoa("client123:secret123");
       expect(authHeader).toBe(expected);
 
@@ -1797,7 +1797,7 @@ describe("OAuth Authorization", () => {
       const request = mockFetch.mock.calls[0][1];
 
       // Check no Authorization header
-      expect(request.headers["Authorization"]).toBeUndefined();
+      expect(request.headers.get("Authorization")).toBeNull();
 
       const body = request.body as URLSearchParams;
       expect(body.get("client_id")).toBe("client123");

src/client/auth.ts

@@ -167,7 +167,7 @@ function selectClientAuthMethod(
 function applyClientAuthentication(
   method: string,
   clientInformation: OAuthClientInformation,
-  headers: HeadersInit,
+  headers: Headers,
   params: URLSearchParams
 ): void {
   const { client_id, client_secret } = clientInformation;
@@ -193,13 +193,13 @@ function applyClientAuthentication(
 /**
  * Applies HTTP Basic authentication (RFC 6749 Section 2.3.1)
  */
-function applyBasicAuth(clientId: string, clientSecret: string | undefined, headers: HeadersInit): void {
+function applyBasicAuth(clientId: string, clientSecret: string | undefined, headers: Headers): void {
   if (!clientSecret) {
     throw new Error("client_secret_basic authentication requires a client_secret");
   }
 
   const credentials = btoa(`${clientId}:${clientSecret}`);
-  (headers as any)["Authorization"] = `Basic ${credentials}`;
+  headers.set("Authorization", `Basic ${credentials}`);
 }
 
 /**
@@ -635,10 +635,6 @@ export async function exchangeAuthorization(
     );
   }
 
-  // const headers: HeadersInit = {
-  //   "Content-Type": "application/x-www-form-urlencoded",
-  // };
-
   // // Exchange code for tokens
   const headers = new Headers({
     "Content-Type": "application/x-www-form-urlencoded",