fix: preserve "//" in redirect URLs with empty authority

[vatsalpatel]

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

Custom-scheme PKCE redirect URIs with empty authority get the // stripped when serialized. Go's net/url normalizes scheme:// with no host down to scheme: on String():

input: "myapp://"             → "myapp:?code=ABC"           ❌
input: "com.example.app://"   → "com.example.app:?code=..." ❌
input: "myapp://host"         → "myapp://host?code=ABC"     ✅
input: "https://example.com"  → "https://example.com?..."   ✅

iOS/Android clients registered for the scheme:// form don't match scheme:?..., so native Sign in with Apple / Google deep links via PKCE fail silently. Affects every redirect URL builder that round-trips through url.Parse → mutate → u.String():

• internal/api/verify.go — prepErrorRedirectURL, prepRedirectURL, prepPKCERedirectURL
• internal/api/oauthserver/authorize.go — buildSuccessRedirectURL, buildErrorRedirectURL

This is RFC 3986 §3.2 behavior (authority component is optional but // only appears when authority is present), not a Go bug - net/url is correct to normalize. The fix preserves the original input shape rather than fighting the standard.

What is the new behavior?

Adds utilities.PreserveEmptyAuthority which detects when the original input used scheme:// with empty authority and restores the // that net/url drops. Applied at all five build sites above.

Leaves already-correct inputs untouched (including intentional scheme: without slashes, and any URL with a host or path).

Test plan

• go test -run TestPreserveEmptyAuthority ./internal/utilities — table-driven coverage for empty authority, host+path, triple-slash, existing query, fragment, reverse-DNS schemes, plain scheme: (unchanged), and https:// (unchanged).
• go vet ./... clean
• Existing test suite still passes

Closes #2423

[vatsalpatel]

Hi @cstockton, would you have a few minutes to take a look at this when you get a chance? Happy to rebase or adjust if anything needs changing.