Fall through to well-known discovery when resource metadata auth fails

[reyortiz3]

Summary

• Servers like Sourcegraph and Deepsearch include resource_metadata in their WWW-Authenticate header but list path-based URLs in their authorization_servers field (e.g. https://sourcegraph.com/.api/mcp/sourcegraph). Per RFC 8414, ToolHive extracts the path as a tenant and builds a discovery URL like /.well-known/oauth-authorization-server/.api/mcp/sourcegraph — an endpoint those servers don't serve. Validation fails and auth breaks.
• Before 6cad0b59, DeriveIssuerFromURL always stripped the path and returned the root domain issuer, which worked. That commit introduced the RFC 9728 resource metadata flow with a hard return at Priority 3, so when validation fails Priorities 4 and 5 (including DeriveIssuerFromURL) are never reached.
• Fix: capture the error from tryDiscoverFromResourceMetadata and only return on success. Failures log at DEBUG and fall through to Priority 4 (well-known probing) and Priority 5 (URL-derived issuer), restoring the previous working behaviour.

Type of change

• Bug fix

Test plan

• Unit tests (task test)

Does this introduce a user-facing change?

Yes — MCP servers that use path-based authorization_servers URLs in their resource metadata (e.g. Sourcegraph, Deepsearch) will successfully authenticate again instead of failing with a malformed discovery URL error.

Special notes for reviewers

The regression was introduced in 6cad0b59 and first shipped in v0.3.0. Two test cases were updated: malformed resource metadata URL and handles malicious resource metadata response. Both previously expected an error that can no longer be returned — the function now falls through to Priority 5 and returns a URL-derived issuer. The DoS protection property of the second test is unchanged (response body draining is still capped by MaxResponseBodyDrain; the test just now asserts the derived issuer rather than an error).

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.55%. Comparing base (a4dc39f) to head (5e9e133).
⚠️ Report is 13 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4371      +/-   ##
==========================================
+ Coverage   69.52%   69.55%   +0.02%     
==========================================
  Files         480      480              
  Lines       48978    48981       +3     
==========================================
+ Hits        34051    34067      +16     
+ Misses      12302    12289      -13     
  Partials     2625     2625              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[lujunsan]

LGTM