Skip to content

Unintended Query Parameter Removal with "code" #1465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Gillesf31 opened this issue Feb 21, 2025 · 2 comments
Open

Unintended Query Parameter Removal with "code" #1465

Gillesf31 opened this issue Feb 21, 2025 · 2 comments

Comments

@Gillesf31
Copy link

Describe the bug
We use this nice library in a complex architecture where multiple Angular applications are embedded in a CMS. One of these applications is responsible for authentication and utilizes this library.

Since the authentication app is always present, it continuously checks whether the user is still logged in.

We encountered an issue in the following scenario:

A user is already logged in. The CMS page contains two Angular applications:

The authentication app.
Another application that expects query parameters, including a parameter containing the string "code", e.g.,

https://toto.com?totocode=toto

The authentication app automatically modifies the URL due to the logic found in https://github.com/manfredsteyer/angular-oauth2-oidc/blob/master/projects/lib/src/oauth-service.ts#L1748

if (!options.preventClearHashAfterLogin) {
  const href =
    location.origin +
    location.pathname +
    location.search
      .replace(/code=[^&$]*/, '')
      .replace(/scope=[^&$]*/, '')
      .replace(/state=[^&$]*/, '')
      .replace(/session_state=[^&$]*/, '')
      .replace(/^\?&/, '?')
      .replace(/&$/, '')
      .replace(/^\?$/, '')
      .replace(/&+/g, '&')
      .replace(/\?&/, '?')
      .replace(/\?$/, '') +
    location.hash;

  history.replaceState(null, window.name, href);
}

This regex removes any query parameter containing "code" and not just the OAuth authorization code itself.
For example:

'https://toto.com?totocode=toto'.replace(/code=[^&$]*/, '') 
// Result: 'https://toto.com?toto'

As a result, our application loses query parameters that contain "code", even when they are unrelated to OAuth.

Expected behavior
We are unsure if this is the intended behavior. Our questions are:

  1. Should the regex be more restrictive to only target the "code" query parameter (without affecting others containing "code" as a substring)?
  2. If this is the expected behavior, is enabling preventClearHashAfterLogin the recommended workaround to handle query cleanup manually?

Thanks a lot for this library !
@Gillesf31 Gillesf31 changed the title Edge case with query param URL cleanup regex with "code" Unintended Query Parameter Removal with "code" Feb 21, 2025
@andrewgremlich
Copy link

I am encountering that I need to use the code for a 3rd party integration, and the code disappears nor is it saved.

@Gillesf31
Copy link
Author

The workaround method with preventClearHashAfterLogin: true, and manually clean code, scope, state and session_state works for us

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewgremlich @Gillesf31