Summary
When the local Calypso dev server (calypso.localhost:3000) redirects an unauthenticated user to wordpress.com login, and the user picks Email me a login link, the resulting magic-link email drops the originating redirect_to parameter. Clicking the link logs the user into wordpress.com and lands them on wordpress.com/home/... rather than bouncing back to the calypso.localhost target. The wp.com session cookie sets on .wordpress.com only, so calypso.localhost remains logged out.
Steps to reproduce
- Open
http://calypso.localhost:3000/<any-protected-route> while logged out (e.g. a /podcasting/stats/<site> URL).
- Calypso redirects to its
/log-in?...&redirect_to=... and forwards through to wordpress.com login.
- Click Email me a login link with a valid wp.com account email.
- Open the email in the same Chrome window, click the link.
- Observe landing on
wordpress.com/home/... rather than the originating calypso.localhost URL.
- Reload the calypso.localhost target. Still logged out.
Expected
After clicking the magic link, end up at the originating calypso.localhost:3000/<route> URL with a valid local Calypso session.
Related friction
The 2FA UI on calypso.localhost shows the security-key challenge with no "Try another method" fallback link. Users with passkeys registered for wordpress.com cannot use them here, since passkeys are origin-bound and calypso.localhost is a different origin. Magic-link is the natural fallback, which makes the redirect-loss bug a hard blocker for getting into local dev.
Environment
- Local Calypso dev server on macOS, Chrome 147
- Branch:
try/pods-95-podcast-stats-ui (issue is unrelated to that branch, observed during UI testing)
Summary
When the local Calypso dev server (
calypso.localhost:3000) redirects an unauthenticated user to wordpress.com login, and the user picks Email me a login link, the resulting magic-link email drops the originatingredirect_toparameter. Clicking the link logs the user into wordpress.com and lands them onwordpress.com/home/...rather than bouncing back to the calypso.localhost target. The wp.com session cookie sets on.wordpress.comonly, so calypso.localhost remains logged out.Steps to reproduce
http://calypso.localhost:3000/<any-protected-route>while logged out (e.g. a/podcasting/stats/<site>URL)./log-in?...&redirect_to=...and forwards through to wordpress.com login.wordpress.com/home/...rather than the originating calypso.localhost URL.Expected
After clicking the magic link, end up at the originating
calypso.localhost:3000/<route>URL with a valid local Calypso session.Related friction
The 2FA UI on calypso.localhost shows the security-key challenge with no "Try another method" fallback link. Users with passkeys registered for
wordpress.comcannot use them here, since passkeys are origin-bound andcalypso.localhostis a different origin. Magic-link is the natural fallback, which makes the redirect-loss bug a hard blocker for getting into local dev.Environment
try/pods-95-podcast-stats-ui(issue is unrelated to that branch, observed during UI testing)