Incorrectly redirecting when both code and state search params are set
Petri-Oosthuizen opened this issue · 5 comments
Checklist
- The issue can be reproduced in the auth0-vue sample app (or N/A).
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
The auth0-vue
plugin redirects when both code
and state
are specified as URL search parameters.
I have another callback URL using those parameters which has nothing to do with auth0.
Reproduction
Please find a working reproduction here: codesandbox.
Keep an eye on the URL while clicking on the following links in the sandbox:
- Navigate to
/example?code=a
-> the URL is changed correctly - Navigate to
/example?state=r
-> the URL is changed correctly - Navigate to
/example?code=a&state=r
-> redirects to "/"
Additional context
No response
auth0-vue version
2.3.2
Vue version
3.3.9
Which browsers have you tested in?
Chrome, Firefox
Thanks for reaching out, you can set skipRedirectCallback: window.location.pathname === '/other-callback'
to ensure we do not read the param in certain scenarios.
More info here: https://auth0.github.io/auth0-vue/interfaces/Auth0PluginOptions.html#skipRedirectCallback
Closing, let me know if that wouldnt work and we can reopen as needed.
Thank you. Out of curiosity, why is this behaviour opt-out and not opt-in?
Because it was added in a non breaking way based on feedback like your scenario, initially we handled every request.
Ok thank you. Just as an aside, the documentation you linked to is incorrect with the usage:
createAuth0({
skipRedirectCallback: window.location.pathname === '/other-callback' // <- not a clientOption
})
it should instead be:
createAuth0(
{
...
},
{
skipRedirectCallback: window.location.pathname === "/other-callback", <- a plugin option
},
);
Thanks, fixed in #327