Skip to content

fix: consistently treat returnTo parameter as an absolute path#2185

Merged
frederikprijck merged 1 commit into
auth0:mainfrom
guabu:fix-return-to-with-base-path
Jun 23, 2025
Merged

fix: consistently treat returnTo parameter as an absolute path#2185
frederikprijck merged 1 commit into
auth0:mainfrom
guabu:fix-return-to-with-base-path

Conversation

@guabu
Copy link
Copy Markdown
Contributor

@guabu guabu commented Jun 22, 2025

📋 Changes

Currently the returnTo parameter is inconsistently treated: sometimes it's a URL (e.g.: https://example.com/dashboard) and other times as a path (/dashboard). This results in subtle bugs when building on the assumption that it is always an absolute path.

This PR ensure that all instances of the returnTo parameter are treated as absolute paths.

This was discovered as a bug with the basePath handling where the returnTo parameter was assumed to be an absolute path (e.g.: /base-path/dashboard). In reality, the host was prepended when constructing the returnTo parameter resulting in: http://localhost:3000/base-path/dashboard. With the basePath enabled, this generated malformed URLs such as /base-path/http://localhost:3000/base-path/dashboard. This can only be reproduced when a base path is set.

🎯 Testing

  1. Add a base path to your application
  2. Specify a returnTo path in your login URL
  3. Notice the resulting redirect is malformed

@guabu guabu requested a review from a team as a code owner June 22, 2025 08:36
@guabu guabu mentioned this pull request Jun 22, 2025
Merged
@guabu guabu force-pushed the fix-return-to-with-base-path branch from d8b20ad to 14ff06b Compare June 23, 2025 07:38
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jun 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.91%. Comparing base (3d0f19e) to head (14ff06b).
Report is 24 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2185      +/-   ##
==========================================
+ Coverage   82.88%   82.91%   +0.02%     
==========================================
  Files          21       21              
  Lines        2092     2095       +3     
  Branches      372      372              
==========================================
+ Hits         1734     1737       +3     
  Misses        351      351              
  Partials        7        7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@frederikprijck frederikprijck merged commit fc33a79 into auth0:main Jun 23, 2025
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frederikprijck frederikprijck frederikprijck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@guabu @codecov-commenter @frederikprijck