Windows: `xurl auth oauth2` generates incomplete authorization URL

[chrishuskey]

Description

Running xurl auth oauth2 --app <app_name> on Windows constructs an incomplete OAuth 2.0 authorization URL that is missing required parameters (redirect_uri, scope, and PKCE code_challenge / code_challenge_method). The browser opens to an invalid X authorization page.

Environment

• OS: Windows 11
• xurl version: v1.0.3 (manual binary install — npm install also broken, see separate issue)
• X Developer App type: Web App (Confidential client)
• Callback URI configured in X Developer Portal: http://localhost:8080/callback

Steps to Reproduce

1. Set up an X Developer app as a Web App (Confidential client) with callback URI http://localhost:8080/callback.
2. Run:

   xurl auth oauth2 --app connector-x-api-ch --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET>
   

3. xurl opens a browser to the X authorization URL.
4. The URL is missing required OAuth 2.0 PKCE parameters: redirect_uri, scope, code_challenge, code_challenge_method.
5. The authorization page fails or shows an error.

Expected Behavior

The generated authorization URL should include all required OAuth 2.0 PKCE parameters per the X API v2 OAuth 2.0 spec:

https://twitter.com/i/oauth2/authorize?response_type=code&client_id=...&redirect_uri=http://localhost:8080/callback&scope=tweet.read%20users.read%20offline.access&state=...&code_challenge=...&code_challenge_method=S256

Workaround

Use OAuth 1.0a authentication instead (xurl auth oauth1), which works correctly on Windows and provides equivalent user-context access to all endpoints including bookmarks, private lists, and home timeline.

Notes

• OAuth 1.0a auth (xurl auth oauth1) works perfectly on Windows.
• Bearer token auth (xurl auth app) also works perfectly on Windows.
• Only the OAuth 2.0 flow is affected.
• This may be Windows-specific — I have not tested on macOS/Linux.