fix: magic links missing root prefix (#133)

* Fix magic links

* Include changeset

---------

Co-authored-by: Matt Kane <mkane@cloudflare.com>

packages/auth/src/invite.ts

@@ -68,7 +68,7 @@ export async function createInviteToken(
 	});
 
 	// Build invite URL
-	const url = new URL("/api/auth/invite/accept", config.baseUrl);
+	const url = new URL("/_emdash/api/auth/invite/accept", config.baseUrl);
 	url.searchParams.set("token", token);
 
 	return { url: url.toString(), email };

packages/auth/src/magic-link/index.ts

@@ -63,7 +63,7 @@ export async function sendMagicLink(
 	});
 
 	// Build magic link URL
-	const url = new URL("/api/auth/magic-link/verify", config.baseUrl);
+	const url = new URL("/_emdash/api/auth/magic-link/verify", config.baseUrl);
 	url.searchParams.set("token", token);
 
 	// Send email

packages/auth/src/oauth/consumer.ts

@@ -40,7 +40,10 @@ export async function createAuthorizationUrl(
 
 	const provider = getProvider(providerName);
 	const state = generateState();
-	const redirectUri = `${config.baseUrl}/api/auth/oauth/${providerName}/callback`;
+	const redirectUri = new URL(
+		`/_emdash/api/auth/oauth/${providerName}/callback`,
+		config.baseUrl,
+	).toString();
 
 	// Generate PKCE code verifier for providers that support it
 	const codeVerifier = generateCodeVerifier();

packages/auth/src/signup.ts

@@ -91,7 +91,7 @@ export async function requestSignup(
 	});
 
 	// Build verification URL
-	const url = new URL("/api/auth/signup/verify", config.baseUrl);
+	const url = new URL("/_emdash/api/auth/signup/verify", config.baseUrl);
 	url.searchParams.set("token", token);
 
 	// Send email

packages/core/tests/unit/auth/invite.test.ts

@@ -56,6 +56,7 @@ describe("Invite", () => {
 
 			expect(result.email).toBe("new@example.com");
 			expect(result.url).toContain("https://example.com");
+			expect(result.url).toContain("/_emdash/api/auth/invite/accept?token=");
 			expect(result.url).toMatch(TOKEN_PARAM_REGEX);
 			// Should NOT have a token field on the result
 			expect("token" in result).toBe(false);

packages/core/tests/unit/auth/magic-link.test.ts

@@ -0,0 +1,53 @@
+import type { AuthAdapter, EmailSendFn } from "@emdash-cms/auth";
+import type { EmailMessage } from "@emdash-cms/auth";
+import { Role, sendMagicLink } from "@emdash-cms/auth";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import type { Kysely } from "kysely";
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+
+import type { Database } from "../../../src/database/types.js";
+import { setupTestDatabase, teardownTestDatabase } from "../../utils/test-db.js";
+
+describe("Magic Link", () => {
+	let db: Kysely<Database>;
+	let adapter: AuthAdapter;
+	let mockEmailSend: EmailSendFn & ReturnType<typeof vi.fn>;
+	let sentEmails: Array<EmailMessage>;
+
+	beforeEach(async () => {
+		db = await setupTestDatabase();
+		adapter = createKyselyAdapter(db);
+		sentEmails = [];
+		mockEmailSend = vi.fn(async (email: EmailMessage) => {
+			sentEmails.push(email);
+		});
+	});
+
+	afterEach(async () => {
+		await teardownTestDatabase(db);
+	});
+
+	it("sends verify links through the injected EmDash auth route", async () => {
+		await adapter.createUser({
+			email: "author@example.com",
+			name: "Author",
+			role: Role.AUTHOR,
+			emailVerified: true,
+		});
+
+		await sendMagicLink(
+			{
+				baseUrl: "https://example.com",
+				siteName: "Test Site",
+				email: mockEmailSend,
+			},
+			adapter,
+			"author@example.com",
+		);
+
+		expect(mockEmailSend).toHaveBeenCalledOnce();
+		expect(sentEmails[0]!.text).toContain(
+			"https://example.com/_emdash/api/auth/magic-link/verify?token=",
+		);
+	});
+});

packages/core/tests/unit/auth/signup.test.ts

@@ -111,6 +111,9 @@ describe("Self-Signup", () => {
 			expect(mockEmailSend).toHaveBeenCalledTimes(1);
 			expect(sentEmails[0]!.to).toBe("newuser@allowed.com");
 			expect(sentEmails[0]!.subject).toContain("Test Site");
+			expect(sentEmails[0]!.text).toContain(
+				"https://example.com/_emdash/api/auth/signup/verify?token=",
+			);
 			expect(sentEmails[0]!.text).toContain("verify");
 		});