fix(DF-900): only strip query params from proceed() on POST, not GET (#334)

mokhld · web-flow · commit 3c7be6387670 · 2026-03-11T16:55:15.000Z
* fix: only strip query params from proceed() on POST, not GET

* refactor: avoid nested ternary in proceed() per Sonar

* refactor: extract nextQuery variable to satisfy Sonar
diff --git a/src/server/plugins/engine/helpers.test.ts b/src/server/plugins/engine/helpers.test.ts
@@ -229,7 +229,7 @@ describe('Helpers', () => {
       }
     )
 
-    it('should not forward custom query params to the next page URL', () => {
+    it('should not forward custom query params on POST', () => {
       request = {
         ...request,
         method: 'post',
@@ -240,6 +240,34 @@ describe('Helpers', () => {
 
       expect(h.redirect).toHaveBeenCalledWith('/test/next-page')
     })
+
+    it('should forward custom query params on GET so pre-population params survive dispatch redirects', () => {
+      request = {
+        ...request,
+        method: 'get',
+        query: { formId: '69afefa99b7b18cc1cd2c606' }
+      }
+
+      proceed(request, h, '/test/next-page')
+
+      expect(h.redirect).toHaveBeenCalledWith(
+        '/test/next-page?formId=69afefa99b7b18cc1cd2c606'
+      )
+    })
+
+    it('should forward custom query params on GET but not returnUrl', () => {
+      request = {
+        ...request,
+        method: 'get',
+        query: { formId: '69afefa99b7b18cc1cd2c606', returnUrl: '/summary' }
+      }
+
+      proceed(request, h, '/test/next-page')
+
+      expect(h.redirect).toHaveBeenCalledWith(
+        '/test/next-page?formId=69afefa99b7b18cc1cd2c606'
+      )
+    })
   })
 
   describe('encodeUrl', () => {
diff --git a/src/server/plugins/engine/helpers.ts b/src/server/plugins/engine/helpers.ts
@@ -22,6 +22,7 @@ import {
 } from '~/src/server/plugins/engine/components/helpers/components.js'
 import { type FormModel } from '~/src/server/plugins/engine/models/FormModel.js'
 import { type PageControllerClass } from '~/src/server/plugins/engine/pageControllers/helpers/pages.js'
+import { stripParam } from '~/src/server/plugins/engine/pageControllers/helpers/state.js'
 import {
   type AnyFormRequest,
   type FormContext,
@@ -129,11 +130,17 @@ export function proceed(
         payload.action === FormAction.Validate
       : false
 
+  // On POST, strip all query params to prevent them persisting across pages.
+  // On GET, forward params (minus returnUrl) so pre-population query params
+  // survive dispatch redirects (e.g. ?formId= reaching the start page).
+  const nextQuery =
+    method === 'get' ? stripParam(query, 'returnUrl') : undefined
+
   // Redirect to return location (optional)
   const response =
     isReturnAllowed && isPathRelative(returnUrl)
       ? h.redirect(returnUrl)
-      : h.redirect(redirectPath(nextUrl))
+      : h.redirect(redirectPath(nextUrl, nextQuery))
 
   // Redirect POST to GET to avoid resubmission
   return method === 'post'
