From 6bbc2b82383d12a157046bcbc3385af891888420 Mon Sep 17 00:00:00 2001 From: Kerry Date: Wed, 28 Jun 2023 11:27:45 +1200 Subject: [PATCH] remove auth params from url after login attempt (#25664) --- src/vector/app.tsx | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/vector/app.tsx b/src/vector/app.tsx index 463ef1346a4..7371ccf0f01 100644 --- a/src/vector/app.tsx +++ b/src/vector/app.tsx @@ -75,13 +75,17 @@ function makeRegistrationUrl(params: QueryDict): string { function onTokenLoginCompleted(): void { // if we did a token login, we're now left with the token, hs and is - // url as query params in the url; a little nasty but let's redirect to - // clear them. + // url as query params in the url; + // if we did an oidc authorization code flow login, we're left with the auth code and state + // as query params in the url; + // a little nasty but let's redirect to clear them. const url = new URL(window.location.href); url.searchParams.delete("loginToken"); + url.searchParams.delete("state"); + url.searchParams.delete("code"); - logger.log(`Redirecting to ${url.href} to drop loginToken from queryparams`); + logger.log(`Redirecting to ${url.href} to drop delegated authentication params from queryparams`); window.history.replaceState(null, "", url.href); }