Skip to content

Comments

fix(web): strip auth search params from URL after callback redirect#4088

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1771484066-fix-auth-callback-search-params
Open

fix(web): strip auth search params from URL after callback redirect#4088
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1771484066-fix-auth-callback-search-params

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Feb 19, 2026

Summary

After OAuth/OTP login, the auth callback URL's query params (code, token_hash, flow, etc.) were leaking into the redirected URL instead of being stripped. This adds explicit search: {} to all throw redirect() calls in the callback route's beforeLoad, and adds replace: true to the component-level navigate() fallback.

Changes:

  • All throw redirect() calls for web flow in beforeLoad now pass search: {} to explicitly clear search params
  • The component's useEffect fallback navigate() now uses replace: true to replace the callback URL in history

Review & Testing Checklist for Human

  • Test the full OAuth flow (Google/GitHub) with flow=web: Log in, go through callback, and verify the final URL at /app/account/ has no leftover code/flow/scheme params. This is the primary bug being fixed and was not tested live.
  • Verify the navigate() fallback also strips params: The useEffect navigate call got replace: true but notably does NOT include search: {} like the beforeLoad redirects do. If the beforeLoad redirect fails to fire (known TanStack Start SSR issue #3462), the component fallback may still leak params. Consider whether search: {} should be added to the navigate call too.
  • Test recovery/password-reset flow: The /update-password/ redirects were also updated — verify password reset via email still works end-to-end.

Notes

@devin-ai-integration @goranmoomin
fix(web): strip auth search params from URL after callback redirect
fc4ac68 
Co-Authored-By: Sungbin Jo <goranmoomin@daum.net>
@netlify
Copy link

netlify bot commented Feb 19, 2026
edited
Loading

Deploy Preview for hyprnote-storybook canceled.

Name Link
🔨 Latest commit fc4ac68
🔍 Latest deploy log https://app.netlify.com/projects/hyprnote-storybook/deploys/6996b41c6c55ea000828fd25

@netlify
Copy link

netlify bot commented Feb 19, 2026
edited
Loading

Deploy Preview for hyprnote ready!

Name Link
🔨 Latest commit fc4ac68
🔍 Latest deploy log https://app.netlify.com/projects/hyprnote/deploys/6996b41c6c55ea000828fd21
😎 Deploy Preview https://deploy-preview-4088--hyprnote.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Feb 19, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@goranmoomin goranmoomin Awaiting requested review from goranmoomin

Assignees

@goranmoomin goranmoomin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@goranmoomin