feat(clerk-js): Include current search params in handleRedirectCallback#7600
feat(clerk-js): Include current search params in handleRedirectCallback#7600jfoshee wants to merge 5 commits intorelease/core-2from
handleRedirectCallback#7600Conversation
…ack` so that component `AuthenticateWithRedirectCallback` automatically incorporates any redirects in the current query to match the documented usage https://clerk.com/docs/guides/development/custom-flows/authentication/oauth-connections
🦋 Changeset detectedLatest commit: 8e7497a The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
jfoshee
changed the title
handleRedirectCallbackhandleRedirectCallback
…ails-for-new-users-custom-sso
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/elements
@clerk/clerk-expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/clerk-react
@clerk/react-router
@clerk/remix
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/themes
@clerk/types
@clerk/upgrade
@clerk/vue
commit: |
packages/clerk-js/src/core/clerk.ts
Outdated
There was a problem hiding this comment.
Could this fix introduce a breaking change? This change is in _handleRedirectCallback which is shared by both handleRedirectCallback and handleGoogleOneTapCallback. For the OAuth redirect callback this makes total sense, that's the whole point of the fix. But for Google One Tap, the dialog fires on whatever page the user is currently browsing, not on a dedicated callback URL. Since search params have highest priority in #getRedirectUrl (search params > props > options), any redirect_url that happens to be in the page's query string would silently override the redirect params passed via props.
Should we scope this to just the handleRedirectCallback path? Something like passing the search params from the caller:
// In handleRedirectCallback - pass search params
return this._handleRedirectCallback(params, { signUp, signIn, navigate }, new URLSearchParams(window.location.search));
// In handleGoogleOneTapCallback - don't pass search params (keeps current behavior)
return this._handleRedirectCallback(params, { signUp, signIn, navigate });Then _handleRedirectCallback would forward whatever it receives to RedirectUrls instead of reading window.location.search directly.
There was a problem hiding this comment.
That's a good point. Thanks, Nikos. I've moved search params up a level and added an optional parameter to _handleRedirectCallback. I manually tested the OAuth app + sso sign-up flow (bug scenario) and it works fine with <AuthenticateWithRedirectCallback />. I tested basic sso sign-up w/ customized sign-in page as well. Are there any other scenarios I should test?
so that it can be passed from handleRedirectCallback for AuthenticateWithRedirectCallback, whereas the parameter is omitted for Google One Tap so we don't change the behavior there
…ails-for-new-users-custom-sso
| await waitFor(() => { | ||
| expect(mockSetActive).toHaveBeenCalled(); | ||
| // The redirect should include the custom redirect URL from URL search params | ||
| expect(mockNavigate.mock.calls[0][0]).toContain(customRedirectUrl); |
There was a problem hiding this comment.
Would it be worth adding a test where both props and search params are present? Just to lock the precedence behavior (search params > props) and prevent future regressions
| signUp: SignUpResource; | ||
| navigate: (to: string) => Promise<unknown>; | ||
| }, | ||
| searchParams?: URLSearchParams, |
There was a problem hiding this comment.
Should we add a quick test verifying that handleGoogleOneTapCallback ignores redirect_url from the URL? Would help protect the intentional scoping here
3 participants
so that component
AuthenticateWithRedirectCallbackautomatically incorporates any redirects in the current query to match the documented usagePart of USER-4308
Without a fix like this the developer must manually snag and specify all the possible redirects, which I think is not the intent of the component.
Note to Reviewers
❓ Is this the best place to insert the URL's query params? It could be done at a higher level, e.g. adding an argument to
handleRedirectCallback. Are there scenarios where it is undesirable to automatically use the window's current query?❓ What are some scenarios I should manually test?
It would be helpful to consider this change in conjunction with this docs change. I acknowledge that the change to the docs is not ideal; it makes the code example much longer. But, my thinking is to first: make it correct, second: make SDK improvements that could reduce the burden on customers.
Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change