Fix authority encoding in URL round-trips

The ParsedURL::to_string() method was not re-encoding special
characters in the authority component, causing URLs with percent-encoded
characters in userinfo (like %40 for @) to become invalid after
serialization.

This fix adds proper authority encoding by:
- Separating userinfo from host at the last @ character
- Encoding only the userinfo part while preserving host[:port]
- Using appropriate allowed characters for authority encoding

Added comprehensive tests to verify correct round-trip behavior for
various URL patterns including encoded @, spaces, and multiple special
characters in the authority.

Author: Mic92

src/libutil-tests/url.cc

@@ -295,6 +295,39 @@ namespace nix {
         ASSERT_EQ(b, "abd%20/%20def");
     }
 
+    TEST(parseURL, authorityEncodingRoundTrip) {
+        // Test various special characters in authority
+        std::vector<std::pair<std::string, std::string>> testCases = {
+            // URL with encoded @, decoded authority
+            {"https://user%40domain@example.com/path", "user@domain@example.com"},
+            // URL with encoded space
+            {"https://user%20name@example.com/path", "user name@example.com"},
+            // URL with colon (colon is allowed in userinfo for username:password)
+            {"https://user:pass@example.com/path", "user:pass@example.com"},
+            // URL with multiple encoded characters
+            {"https://user%40%20name:pass@example.com/path", "user@ name:pass@example.com"},
+            // URL with no userinfo
+            {"https://example.com/path", "example.com"},
+            // URL with port
+            {"https://user%40name@example.com:8080/path", "user@name@example.com:8080"},
+        };
+
+        for (const auto& [url, expectedAuth] : testCases) {
+            auto parsed = parseURL(url);
+            ASSERT_EQ(parsed.authority.value(), expectedAuth);
+
+            // Verify round-trip - the URL should be preserved
+            auto reconstructed = parsed.to_string();
+            auto reparsed = parseURL(reconstructed);
+            ASSERT_EQ(reparsed.authority.value(), expectedAuth);
+
+            // For URLs with encoded characters in userinfo, verify exact round-trip
+            if (url.find("%") != std::string::npos && url.find("@") != std::string::npos) {
+                ASSERT_EQ(reconstructed, url);
+            }
+        }
+    }
+
     TEST(percentEncode, inverseOfDecode) {
         std::string original = "%3D%3D%40%3D%3D";
         std::string once = percentEncode(original);

src/libutil/url.cc

@@ -117,6 +117,7 @@ try {
 
 const static std::string allowedInQuery = ":@/?";
 const static std::string allowedInPath = ":@/";
+const static std::string allowedInAuthority = ":!$&'()*+,;=";
 
 std::string encodeQuery(const StringMap & ss)
 {
@@ -132,12 +133,29 @@ std::string encodeQuery(const StringMap & ss)
     return res;
 }
 
+static std::string encodeAuthority(const std::string& auth)
+{
+    // Find the last @ to separate userinfo from host
+    // The last @ is the delimiter, any @ before that is part of userinfo
+    auto lastAt = auth.rfind('@');
+    if (lastAt != std::string::npos) {
+        // We have userinfo
+        auto userinfo = auth.substr(0, lastAt);
+        auto hostPort = auth.substr(lastAt + 1);
+        // In the userinfo part, @ needs to be encoded along with other special chars
+        // But : is allowed in userinfo for username:password
+        return percentEncode(userinfo, allowedInAuthority) + "@" + hostPort;
+    }
+    // No userinfo, just host[:port]
+    return auth;
+}
+
 std::string ParsedURL::to_string() const
 {
     return
         scheme
         + ":"
-        + (authority ? "//" + *authority : "")
+        + (authority ? "//" + encodeAuthority(*authority) : "")
         + percentEncode(path, allowedInPath)
         + (query.empty() ? "" : "?" + encodeQuery(query))
         + (fragment.empty() ? "" : "#" + percentEncode(fragment));