Skip to content

fix(callback): preserve session redirect url before clearing auth session#160

Open
cgarnier wants to merge 1 commit into
itpropro:mainfrom
cgarnier:fix/callback-redirect-url-cleared
Open

fix(callback): preserve session redirect url before clearing auth session#160
cgarnier wants to merge 1 commit into
itpropro:mainfrom
cgarnier:fix/callback-redirect-url-cleared

Conversation

@cgarnier

@cgarnier cgarnier commented Jun 10, 2026

Copy link
Copy Markdown

Summary

Fixes #159.
Fixes #149.

In callbackEventHandler (src/runtime/server/handler/callback.ts), session.clear() was called before reading session.data.callbackRedirectUrl, so the value passed to resolveCallbackRedirectUrl was always undefined. As a result, users were always redirected to / after sign-in, even when the global middleware had stored the original target path in the session via ?callbackRedirectUrl=....

Fix

Capture session.data.callbackRedirectUrl into a local variable before clearing the session, then pass that local variable to resolveCallbackRedirectUrl. This matches the original intent of the helper and restores the expected behavior of the existing middleware-callback-redirect E2E flow.

+    const sessionCallbackRedirectUrl = session.data.callbackRedirectUrl
     await session.clear()
     deleteCookie(event, 'oidc')
     return onSuccess(event, {
       user,
       callbackRedirectUrl: resolveCallbackRedirectUrl({
         configuredCallbackRedirectUrl: config.callbackRedirectUrl,
         hasConfiguredCallbackRedirectUrl,
-        sessionCallbackRedirectUrl: session.data.callbackRedirectUrl,
+        sessionCallbackRedirectUrl,
       }),
     })

Tests

  • Existing unit tests on resolveCallbackRedirectUrl (test/unit/utils/redirect.test.ts) still pass.
  • pnpm test:unit — 9 files, 121 tests passing.
  • pnpm typecheck — clean.
  • pnpm lint — no new errors/warnings introduced by this change.

I did not add a new test: a unit test on resolveCallbackRedirectUrl would not have caught this regression (the helper itself was already correct). A meaningful regression test would require either a heavily mocked handler test or a full E2E provider flow; happy to add one if you have a preferred approach.

…sion

The callbackRedirectUrl stored in the auth session was read after
session.clear() in the OIDC callback handler, making it always
undefined and forcing the final redirect to fall back to '/'.

Capture the value into a local variable before clearing the session
so resolveCallbackRedirectUrl receives the actual stored URL.

Fixes itpropro#159
@jreina

jreina commented Jul 7, 2026

Copy link
Copy Markdown

@itpropro any chance we could get this in? I'm currently patching around this behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Callback Redirect Url is not working. Always redirect to / callbackRedirectUrl not working, when applying manually / dynamically

2 participants