fix: OAuth2: use correct `Content-Type` as specified in RFC (#2343)

Co-authored-by: Nolan Lawson <nolan@nolanlawson.com>

src/routes/_api/oauth.js

@@ -27,11 +27,13 @@ export function generateAuthLink (instanceName, clientId, redirectUri) {
 
 export function getAccessTokenFromAuthCode (instanceName, clientId, clientSecret, code, redirectUri) {
   const url = `${basename(instanceName)}/oauth/token`
-  return post(url, {
+  // Using URLSearchParams here guarantees a content type of application/x-www-form-urlencoded
+  // See https://fetch.spec.whatwg.org/#bodyinit-unions
+  return post(url, new URLSearchParams({
     client_id: clientId,
     client_secret: clientSecret,
     redirect_uri: redirectUri,
     grant_type: 'authorization_code',
     code
-  }, null, { timeout: WRITE_TIMEOUT })
+  }), null, { timeout: WRITE_TIMEOUT })
 }

src/routes/_utils/ajax.js

@@ -51,7 +51,7 @@ async function _fetch (url, fetchOptions, options) {
 async function _putOrPostOrPatch (method, url, body, headers, options) {
   const fetchOptions = makeFetchOptions(method, headers, options)
   if (body) {
-    if (body instanceof FormData) {
+    if (body instanceof FormData || body instanceof URLSearchParams) {
       fetchOptions.body = body
     } else {
       fetchOptions.body = JSON.stringify(body)