fix(oauth): remove internal error message from redirect URL

theothersideofgod · claude · theothersideofgod · commit 24b965d4389b · 2026-05-13T10:48:25.000+08:00
Remove the 'message' query parameter that exposed raw error.message
content (potentially database errors, function names, or internal
details) in the redirect URL. The generic 'CALLBACK_FAILED' error
code is sufficient for the frontend, and detailed errors are still
logged server-side.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/graphql/server/src/middleware/oauth.ts b/graphql/server/src/middleware/oauth.ts
@@ -567,7 +567,6 @@ export function createOAuthRoutes(opts: ConstructiveOptions): Router {
 
       const errorUrl = new URL(errorRedirectPath, getBaseUrl(req));
       errorUrl.searchParams.set('error', 'CALLBACK_FAILED');
-      errorUrl.searchParams.set('message', error.message || 'Unknown error');
       errorUrl.searchParams.set('provider', provider);
       return res.redirect(errorUrl.toString());
     }

Original file line number	Diff line number	Diff line change
`@@ -567,7 +567,6 @@ export function createOAuthRoutes(opts: ConstructiveOptions): Router {`
`567`	`567`
`568`	`568`	`const errorUrl = new URL(errorRedirectPath, getBaseUrl(req));`
`569`	`569`	`errorUrl.searchParams.set('error', 'CALLBACK_FAILED');`
`570`		`- errorUrl.searchParams.set('message', error.message \|\| 'Unknown error');`
`571`	`570`	`errorUrl.searchParams.set('provider', provider);`
`572`	`571`	`return res.redirect(errorUrl.toString());`
`573`	`572`	`}`