Magic-link action_link drops /auth/v1 prefix after #5092 (admin.generateLink returns 404)

[grv693]

Repro

supabase start                       # CLI v2.95.5+ (e.g. v2.98.1)
# from any service-role client:
supabase.auth.admin.generateLink({ type: 'magiclink', email, options: { redirectTo } })

Expected

action_link is http://127.0.0.1:54321/auth/v1/verify?token=…&type=magiclink&redirect_to=…

Actual (v2.95.5+)

action_link is http://127.0.0.1:54321/verify?… — /auth/v1 prefix missing → Kong 404 (no route matches bare /verify).

Cause

#5092 changed the GoTrue env wiring:

- "API_EXTERNAL_URL=" + utils.Config.Api.ExternalUrl,
+ "API_EXTERNAL_URL=" + utils.Config.AuthExternalURL(),  // = http://127.0.0.1:54321/auth/v1
- fmt.Sprintf("GOTRUE_MAILER_URLPATHS_INVITE=%s/verify", utils.Config.Auth.JwtIssuer),
+ "GOTRUE_MAILER_URLPATHS_INVITE=/verify",

GoTrue (templatemailer.go) builds the link via externalURL.ResolveReference(path).String(). Per RFC 3986 §5.2, an absolute reference path (leading /) replaces the base path entirely:

API_EXTERNAL_URL	MAILER_URLPATHS_INVITE	result
http://…/auth/v1	/verify	http://…/verify ❌
http://…/auth/v1/	/verify	http://…/verify ❌
http://…/auth/v1/	verify (no leading /)	http://…/auth/v1/verify ✅

No config.toml knob (auth.external_url, with or without trailing slash) survives this — URLPaths are hardcoded with leading / in internal/start/start.go.

Suggested fix (either works)

1. Restore full URLs: GOTRUE_MAILER_URLPATHS_INVITE=<auth-external-url>/verify, or
2. Drop the leading slash and ensure auth.external_url ends with /.

Impact

Any local CI/test that uses admin.generateLink (e.g. Playwright e2e auth helpers) breaks at the magic-link step. Pinning to 2.95.4 (last release before #5092) is the workaround.