remove auth params from url after login attempt (#25664)

element-hq · Jun 27, 2023 · 6bbc2b8 · 6bbc2b8
1 parent 51baaf6
commit 6bbc2b8
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/src/vector/app.tsx b/src/vector/app.tsx
@@ -75,13 +75,17 @@ function makeRegistrationUrl(params: QueryDict): string {
 
 function onTokenLoginCompleted(): void {
  // if we did a token login, we're now left with the token, hs and is
- // url as query params in the url; a little nasty but let's redirect to
- // clear them.
+ // url as query params in the url;
+ // if we did an oidc authorization code flow login, we're left with the auth code and state
+ // as query params in the url;
+ // a little nasty but let's redirect to clear them.
  const url = new URL(window.location.href);
 
  url.searchParams.delete("loginToken");
+ url.searchParams.delete("state");
+ url.searchParams.delete("code");
 
- logger.log(`Redirecting to ${url.href} to drop loginToken from queryparams`);
+ logger.log(`Redirecting to ${url.href} to drop delegated authentication params from queryparams`);
  window.history.replaceState(null, "", url.href);
 }