feat: Proxy handler support enabling My Account and My Org

[tusharpandey13]

This PR enables support for secure browser-initiated My-Account and My-Org API calls through a handleProxy handler, a transparent and secure authenticating proxy to handle secure API calls originating from browser.

Changes

• auth-client.ts: added methods handleMyAccount and handleMyOrg, added matchers for these in handler.
• utils/proxy.ts: header filters, url transform, proxy matcher

Tests

proxy-handler.test.ts: Added tests for proxy handler covering:

• Basic Proxy Routing & Session Management
• HTTP Method Routing
• URL Path Matching & Transformation
• HTTP Headers Forwarding
• Request Body Handling
• Bearer Token Handling
• DPoP Token Handling
• Session Update After Token Refresh
• Error Scenarios
• Concurrent Request Handling
• CORS Handling

proxy.test.ts: Tests for header filters, url transform, proxy matcher
auth-client.proxy.test.ts: proxy tests specific to my-account and my-org
auth-client.test.ts: updated test cases

References

• RFC 2616
• RFC 7231
• RFC 6454
• RFC 9449
• WHATWG Fetch Spec

Implementation details

The proxy matcher uses the following rules:

if (sanitizedPathname.startsWith("/me/")) {
      return this.handleMyAccount(req);
} else if (sanitizedPathname.startsWith("/my-org/")) {
      return this.handleMyOrg(req);
}

scope header is used to supply scope (not auth0-scope)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 97.05882% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.71%. Comparing base (05ec221) to head (f7487b9).

Files with missing lines	Patch %	Lines
src/server/auth-client.ts	96.26%	5 Missing ⚠️
src/test/proxy-handler-test-helpers.ts	95.41%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2400      +/-   ##
==========================================
+ Coverage   87.90%   88.71%   +0.80%     
==========================================
  Files          37       39       +2     
  Lines        4127     4466     +339     
  Branches      818      883      +65     
==========================================
+ Hits         3628     3962     +334     
- Misses        496      501       +5     
  Partials        3        3              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nandan-bhat]

/me and /my-org use DPoP. When DPoP is disabled, #handleProxy falls back to Bearer. Does it make sense to return an error immediately when /me or /my-org are accessed when DPoP is disabled ?

[nandan-bhat]

If the page makes a My Account request (updateProfile in this case) during page render, and that page is linked using the Next.js <Link> component, it could trigger an actual API request during prefetch in production.

I think we should either fix this or document this.

[nandan-bhat]

This is a minor one.

• If headers are case in-sensitive, we can set forwardedHeaders.set(lowerKey, value); anyway.
• If headers are case-sensitive, we should not do key.toLowerCase();

But, headers are case in-sensitive, so this should be fine.