fix: respect proxy headers when constructing resource URLs in withMcpAuth and protectedResourceHandler

[quuu]

This pull request adds robust support for detecting the public-facing URL and origin of requests, especially when running behind reverse proxies. It introduces new utility functions to correctly interpret proxy headers, updates authentication handlers to use these utilities or allow explicit URL overrides, and adds comprehensive tests for these scenarios.

Proxy-aware URL detection and utilities:

• Added getPublicOrigin and getPublicUrl utility functions in src/lib/url.ts to reconstruct the public-facing origin and URL from incoming requests, respecting X-Forwarded-Host, X-Forwarded-Proto, and Forwarded headers, or falling back to req.url if not present.
• Exported getPublicOrigin and getPublicUrl from the package entry point for external use.

Authentication handler improvements:

• Updated protectedResourceHandler in src/auth/auth-metadata.ts to use getPublicUrl for auto-detecting the public URL, and added an optional resourceUrl parameter for explicit overrides, improving support for deployments behind proxies or with unusual network setups. [1] [2]
• Updated withMcpAuth in src/auth/auth-wrapper.ts to use the new getPublicOrigin utility and allow explicit resourceUrl overrides, ensuring correct construction of resource metadata URLs in proxied environments. [1] [2]

Testing and validation:

• Added comprehensive tests to tests/auth.test.ts to verify correct behavior of public URL detection with various proxy header scenarios and explicit resource URL overrides.