Incorrectly redirecting when both code and state search params are set

Question

Incorrectly redirecting when both code and state search params are set

Petri-Oosthuizen opened this issue 9 months ago · 5 comments

Petri-Oosthuizen commented 9 months ago

Checklist

The issue can be reproduced in the auth0-vue sample app (or N/A).
I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

The auth0-vue plugin redirects when both code and state are specified as URL search parameters.

I have another callback URL using those parameters which has nothing to do with auth0.

Reproduction

Please find a working reproduction here: codesandbox.

Keep an eye on the URL while clicking on the following links in the sandbox:

Navigate to /example?code=a -> the URL is changed correctly
Navigate to /example?state=r -> the URL is changed correctly
Navigate to /example?code=a&state=r -> redirects to "/"

Additional context

No response

auth0-vue version

2.3.2

Vue version

3.3.9

Which browsers have you tested in?

Chrome, Firefox

Answer 1 · 2023-11-30T10:03:53.000Z

Thanks for reaching out, you can set skipRedirectCallback: window.location.pathname === '/other-callback' to ensure we do not read the param in certain scenarios.

More info here: https://auth0.github.io/auth0-vue/interfaces/Auth0PluginOptions.html#skipRedirectCallback

Closing, let me know if that wouldnt work and we can reopen as needed.

Answer 2 · 2023-11-30T12:12:10.000Z

Thank you. Out of curiosity, why is this behaviour opt-out and not opt-in?

Answer 3 · 2023-11-30T12:13:30.000Z

Because it was added in a non breaking way based on feedback like your scenario, initially we handled every request.

Answer 4 · 2023-11-30T12:16:03.000Z

Ok thank you. Just as an aside, the documentation you linked to is incorrect with the usage:

createAuth0({
  skipRedirectCallback: window.location.pathname === '/other-callback' // <- not a clientOption
})

it should instead be:

  createAuth0(
    {
      ...
    },
    {
      skipRedirectCallback: window.location.pathname === "/other-callback", <- a plugin option
    },
  );

Answer 5 · 2023-11-30T12:21:45.000Z

Thanks, fixed in #327