Fix(auth): improper resolution of relative token urls (#4180)

* fix(auth): improper resolution of relative token urls

* revert cc58ba7 for OAS2

In OAS2, relative token URLs are resolved against the host that serves the specs.

src/core/plugins/auth/actions.js

+import parseUrl from "url-parse"
 import win from "core/window"
 import { btoa, buildFormData } from "core/utils"
 
@@ -139,13 +140,15 @@ export const authorizeAccessCodeWithBasicAuthentication = ( { auth, redirectUrl
   return authActions.authorizeRequest({body: buildFormData(form), name, url: schema.get("tokenUrl"), auth, headers})
 }
 
-export const authorizeRequest = ( data ) => ( { fn, getConfigs, authActions, errActions, authSelectors } ) => {
+export const authorizeRequest = ( data ) => ( { fn, getConfigs, authActions, errActions, oas3Selectors, specSelectors } ) => {
   let { body, query={}, headers={}, name, url, auth } = data
-  let { additionalQueryStringParams } = authSelectors.getConfigs() || {}
-  let fetchUrl = url
 
-  for (let key in additionalQueryStringParams) {
-    url += "&" + key + "=" + encodeURIComponent(additionalQueryStringParams[key])
+  let fetchUrl
+
+  if (specSelectors.isOAS3()) {
+    fetchUrl = parseUrl(url, oas3Selectors.selectedServer()).toString()
+  } else {
+    fetchUrl = parseUrl(url, specSelectors.url()).toString()
   }
 
   let _headers = Object.assign({

test/core/plugins/auth/actions.js

+/* eslint-env mocha */
+import expect, { createSpy } from "expect"
+import { authorizeRequest } from "corePlugins/auth/actions"
+
+describe("auth plugin - actions", () => {
+
+  describe("authorizeRequest", () => {
+
+    [
+      [
+        {
+          oas3: true,
+          server: "https://host/resource",
+          scheme: "http",
+          host: null,
+          url: "http://specs/file",
+        },
+        "https://host/authorize"
+      ],
+      [
+        {
+          oas3: false,
+          server: null,
+          scheme: "https",
+          host: undefined,
+          url: "https://specs/file",
+        },
+        "https://specs/authorize"
+      ],
+      [
+        {
+          oas3: false,
+          server: null,
+          scheme: "https",
+          host: "host",
+          url: "http://specs/file",
+        },
+        "http://specs/authorize"
+      ],
+    ].forEach(([{oas3, server, scheme, host, url}, expectedFetchUrl]) => {
+      it("should resolve authorization endpoint against the server URL", () => {
+
+        // Given
+        const data = {
+          url: "/authorize"
+        }
+        const system = {
+          fn: {
+            fetch: createSpy().andReturn(Promise.resolve())
+          },
+          getConfigs: () => ({}),
+          authSelectors: {
+            getConfigs: () => ({})
+          },
+          oas3Selectors: {
+            selectedServer: () => server
+          },
+          specSelectors: {
+            isOAS3: () => oas3,
+            operationScheme: () => scheme,
+            host: () => host,
+            url: () => url
+          }
+        }
+
+        // When
+        authorizeRequest(data)(system)
+
+        // Then
+        expect(system.fn.fetch.calls.length).toEqual(1)
+        expect(system.fn.fetch.calls[0].arguments[0]).toInclude({url: expectedFetchUrl})
+      })
+    })
+  })
+})