fix: use proper URL encoding in OAuth URL generation

Replace manual string concatenation with urllib.parse functions for secure URL construction:
- Use urlencode() for query parameters to prevent injection
- Use urlunsplit() for proper URL assembly
- Update tests to match encoded output

Addresses: #211 (comment)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: AdamVyborny

src/keboola_mcp_server/tools/oauth.py

@@ -2,6 +2,7 @@
 
 import logging
 from typing import Annotated
+from urllib.parse import urlencode, urlunsplit
 
 from fastmcp import Context
 from fastmcp.tools import FunctionTool
@@ -56,9 +57,18 @@ async def create_oauth_url(
     storage_api_url = client.storage_client.base_api_url
 
     # Generate OAuth URL
-    oauth_url = (
-        f'https://external.keboola.com/oauth/index.html?token={sapi_token}'
-        f'&sapiUrl={storage_api_url}#/{component_id}/{config_id}'
-    )
+    query_params = urlencode({
+        'token': sapi_token,
+        'sapiUrl': storage_api_url
+    })
+    fragment = f'/{component_id}/{config_id}'
+
+    oauth_url = urlunsplit((
+        'https',  # scheme
+        'external.keboola.com',  # netloc
+        '/oauth/index.html',  # path
+        query_params,  # query
+        fragment  # fragment
+    ))
 
     return oauth_url

tests/tools/test_oauth.py

@@ -47,7 +47,7 @@ async def test_create_oauth_url_success(
     expected_url = (
         f'https://external.keboola.com/oauth/index.html'
         f'?token=KBC_TOKEN_12345'
-        f'&sapiUrl=https://connection.test.keboola.com'
+        f'&sapiUrl=https%3A%2F%2Fconnection.test.keboola.com'
         f'#/{component_id}/{config_id}'
     )
     assert result == expected_url