app: Fix ARN encoding in web launcher URL

[juliaogris]

When an AWS console app role ARN contains a / in the path component (e.g.
arn:aws:iam::123:role/my-role), the web launcher redirect truncates the ARN
at the slash.

The configured IAM role ARN must appear exactly in the session cert for the
access check to pass. When the cert carries a truncated value
(arn:aws:iam::123:role instead of arn:aws:iam::123:role/my-role), the app
service rejects the mismatch and the user gets "Not Found".

This is a regression from the react-router v7 upgrade
(PR gravitational/teleport#63496).

The app launcher route is /web/launch/:fqdn/:clusterId?/:publicAddr?/:arn?.
Both v5 and v7 encode / as %2F in generatePath. The difference is
useParams(): v5 (via path-to-regexp 1.9.0) returned the raw percent-encoded
value, while v7 (which dropped path-to-regexp) auto-decodes it. This changes
how the ARN travels through the auth exchange.

Confirmed by bisecting between the commit before the v7 upgrade (c75ea42)
and the upgrade commit itself (6298fe2). The cert.create audit event shows
the difference:

Before (v5): route_to_app:map[aws_role_arn:arn:aws:iam::123456789012:role/my-role ...]
After (v7):  route_to_app:map[aws_role_arn:arn:aws:iam::123456789012:role ...]

Percent-encode the ARN with url.PathEscape before appending it to the URL
path, and replace path.Join with strings.Join plus explicit RawPath/Path
setting so that %2F survives URL serialization.

react-router v5 vs v7 vs v7 with this fix

v5 (react-router 5.3.4, path-to-regexp 1.9.0):

1. (JS) generatePath encodes / → %2F. URL: .../arn%3Aaws%3Aiam%3A%3A123%3Arole%2Fmy-role
2. (JS) useParams() does NOT decode → params.arn = arn%3Aaws%3Aiam%3A%3A123%3Arole%2Fmy-role 🔑
3. (JS) searchParams.set('arn', params.arn) double-encodes → arn=arn%253A...%252Fmy-role
4. (Go) q.Get("arn") decodes one layer → arn%3Aaws%3Aiam%3A%3A123%3Arole%2Fmy-role
5. (Go) path.Join sees %2F as literal characters, not a slash → ARN stays as one segment ✅
6. (Go) Redirect URL path has %2F intact
7. (JS) Second trip: :arn? matches the whole thing because %2F is not a / ✅
8. (JS) decodeURIComponent(params.arn) → arn:aws:iam::123:role/my-role
9. (JS) createAppSession POSTs arn: "arn:aws:iam::123:role/my-role"
10. (Go) Auth server issues X.509 cert with aws_role_arn = arn:aws:iam::123:role/my-role
11. (Go) App service compares cert ARN against configured role → exact match, access granted ✅

v7 broken (react-router 7.13.0, no path-to-regexp):

1. (JS) generatePath encodes / → %2F. URL: same as v5
2. (JS) useParams() auto-decodes %2F → params.arn = arn:aws:iam::123:role/my-role (literal /) 💥
3. (JS) searchParams.set('arn', params.arn) single-encodes → arn=arn%3A...role%2Fmy-role
4. (Go) q.Get("arn") decodes → arn:aws:iam::123:role/my-role (literal /)
5. (Go) path.Join outputs path with literal / inside the ARN, indistinguishable from structural slashes
6. (Go) Redirect URL: .../arn:aws:iam::123:role/my-role?state=TOKEN
7. (JS) Second trip: :arn? matches [^/]+, captures only arn:aws:iam::123:role. my-role becomes a stray segment, discarded 💥
8. (JS) decodeURIComponent is a no-op on the already-truncated value
9. (JS) createAppSession POSTs arn: "arn:aws:iam::123:role"
10. (Go) Auth server issues X.509 cert with aws_role_arn = arn:aws:iam::123:role
11. (Go) App service compares cert ARN against configured role → mismatch, "Not Found" ❌

v7 with this fix:

1. (JS) generatePath encodes / → %2F. URL: same as above
2. (JS) useParams() auto-decodes %2F → params.arn = arn:aws:iam::123:role/my-role (literal /)
3. (JS) searchParams.set('arn', params.arn) single-encodes → arn=arn%3A...role%2Fmy-role
4. (Go) q.Get("arn") decodes → arn:aws:iam::123:role/my-role (literal /)
5. (Go) url.PathEscape(req.arn) re-encodes / → %2F 🔧
6. (Go) strings.Join preserves %2F as literal characters (replaces path.Join) 🔧
7. (Go) u.RawPath set with encoded value. url.URL.String() uses RawPath → %2F intact 🔧
8. (JS) Second trip: URL has %2F in path. :arn? matches the whole encoded segment. useParams() auto-decodes → full ARN ✅
9. (JS) decodeURIComponent(params.arn) is a no-op (already decoded)
10. (JS) createAppSession POSTs arn: "arn:aws:iam::123:role/my-role"
11. (Go) Auth server issues X.509 cert with aws_role_arn = arn:aws:iam::123:role/my-role
12. (Go) App service compares cert ARN against configured role → exact match, access granted ✅

Issue: #64823

Manual Test Plan

Test Environment

Local Teleport instance with an AWS console app configured with an IAM
role whose ARN contains a path component
(arn:aws:iam::<ACCOUNT>:role/<ROLE_NAME>).

Test Cases

• Open the web UI, click the awsconsole app, select the role from
  the picker. The AWS console opens instead of "Not Found".
• Same test in an incognito window (exercises the full auth exchange
  round-trip through makeAppRedirectURL).
• CLI access: tsh apps login awsconsole --aws-role <ARN> followed
  by tsh aws sts get-caller-identity returns the assumed role.
• Launch a non-AWS app from the web UI. No regression.

[juliaogris]

@codex - could I have a review please?

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[juliaogris]

@claude review please

[claude]

My previous concern about the PathUnescape fallback has been addressed — all segments are now url.PathEscaped before building RawPath, making the error path unreachable. LGTM.

Extended reasoning...

Overview

This PR fixes a regression introduced by the react-router v7 upgrade: useParams() in v7 auto-decodes percent-encoded path segments, causing ARNs with / to be split at the slash during the redirect round-trip. The fix applies url.PathEscape to all URL path segments on the Go side and sets u.RawPath explicitly so that %2F survives serialization.

Security risks

The changed code handles user-controlled input (ARN, cluster name, public address) in URL construction. The url.PathEscape applied to all segments prevents injection of bare slashes or invalid percent sequences into the redirect URL path. No auth bypass or privilege escalation vectors are introduced.

Level of scrutiny

This is a focused regression fix in the app launcher URL construction path. The logic is well-documented with a detailed step-by-step breakdown in the PR description, and the fix is confirmed by bisection. The change is confined to makeAppRedirectURL in handler.go and corresponding JS/test updates.

Prior review resolution

My previous inline comment flagged that an intermediate version had a u.Path = u.RawPath fallback on PathUnescape error which would corrupt the ARN encoding. The author addressed this by applying url.PathEscape to all path segments (not just the ARN) before building RawPath. Since url.PathEscape guarantees valid percent-encoding, url.PathUnescape now always succeeds and the discarded error is genuinely unreachable. The Codex P2 comment about unescaped non-ARN segments was resolved by the same change.

[claude]

LGTM — the url.PathEscape-all-segments approach I recommended has been correctly implemented and the broken fallback removed.

Extended reasoning...

Overview

This PR fixes a regression in the AWS console app launcher introduced by the react-router v5→v7 upgrade. The core issue: react-router v7's useParams() auto-decodes percent-encoded path segments (e.g. %2F→/), so ARNs with slashes were being truncated at the slash on the second round-trip. The fix is applied in Go (makeAppRedirectURL) by re-escaping the decoded ARN with url.PathEscape before embedding it in RawPath, and by switching from path.Join (which treats / structurally) to strings.Join (which preserves literal %2F). The JS side already has the right behavior since useParams() decodes the segment for createAppSession.

Security risks

No security risks. The changed code builds a redirect URL for the app launcher flow. URL encoding is tightened (all segments now go through url.PathEscape), which if anything reduces exposure to path-traversal via crafted cluster or publicAddr values. No authentication logic, crypto, or authorization checks are modified.

Level of scrutiny

Medium. The change touches URL construction in the app auth redirect flow, which is a user-visible path but not a security boundary itself. The PR description includes a detailed step-by-step trace of the encoding flow across all three scenarios (v5, v7-broken, v7-fixed), which is unusually thorough and makes the correctness easy to verify.

Other factors

My previous review identified that the intermediate version (with u.Path = u.RawPath fallback) was actively wrong — it would double-encode %2F to %252F when triggered. The author resolved this exactly as I suggested: apply url.PathEscape to all non-ARN segments so the error path is never reachable and the fallback was removed. The inline comment was resolved and Codex also gave a clean pass on the updated revision. New tests cover multi-level ARN paths, special characters, and a round-trip test through React Router routing. No bugs found by the bug hunting system.