fix(onboarding): redirect back to onboarding after GitHub app install#3119
Merged
kilo-code-bot[bot] merged 2 commits intogastown-stagingfrom May 7, 2026
Merged
fix(onboarding): redirect back to onboarding after GitHub app install#3119kilo-code-bot[bot] merged 2 commits intogastown-stagingfrom
kilo-code-bot[bot] merged 2 commits intogastown-stagingfrom
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Contributor
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (5 files)
Reviewed by gpt-5.5-20260423 · 237,154 tokens |
…ate, URIError guard - OnboardingStepRepo: use stable refetch reference and scalar param instead of full query object to prevent duplicate toasts/refetches - GitHub callback: parse owner token from state in error handler so |return= suffix doesn't leak into org redirect URLs - validate-return-path: catch URIError from malformed percent-encoding and treat as invalid return path (null) instead of throwing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When a user clicks "Install GitHub App" during gastown onboarding, the GitHub callback always redirected them to
/integrations/github?success=installedinstead of back to the onboarding wizard. The user had to manually navigate back and start over.This PR extends the
stateparameter with an optional|return=<path>suffix so the callback can redirect back to the originating page. Changes:returnpath to state, switch fromwindow.opentowindow.location.hrefso the round-trip happens in the same tab. Added a toast + repo refetch on?github_install=success.|return=suffix via extractedparseStateReturnutility with an open-redirect guard (regex validates single-leading-slash internal paths, rejects//,/\, CR/LF). ThereturnTo-aware redirect applies to the success path only; error/pending paths unchanged for backwards compat.?step=query param to seed the initial wizard step, so users land on the repo step after the GitHub round-trip.validateReturnPathandparseStateReturnwith unit tests covering open-redirect attack vectors.Verification
Manually verified by tracing the code path: onboarding → GitHub install URL includes
return=in state → callback parses and validates return path → redirects to/gastown/onboarding?step=repo&github_install=success→ wizard seeds repo step → toast fires + repos refetch.Visual Changes
N/A
Reviewer Notes
/^\/(?![\/\\])[^\r\n]*$/plus the//prefix check is the security-critical part — seevalidate-return-path.test.tsfor attack vector coverage.returnTo— we don't want to send users back to onboarding when the install failed or is pending approval.|return=suffix) continue to work via the fallback to/integrations/github.