Description
Describe the bug
We use this nice library in a complex architecture where multiple Angular applications are embedded in a CMS. One of these applications is responsible for authentication and utilizes this library.
Since the authentication app is always present, it continuously checks whether the user is still logged in.
We encountered an issue in the following scenario:
A user is already logged in. The CMS page contains two Angular applications:
The authentication app.
Another application that expects query parameters, including a parameter containing the string "code", e.g.,
https://toto.com?totocode=toto
The authentication app automatically modifies the URL due to the logic found in https://github.com/manfredsteyer/angular-oauth2-oidc/blob/master/projects/lib/src/oauth-service.ts#L1748
if (!options.preventClearHashAfterLogin) {
const href =
location.origin +
location.pathname +
location.search
.replace(/code=[^&$]*/, '')
.replace(/scope=[^&$]*/, '')
.replace(/state=[^&$]*/, '')
.replace(/session_state=[^&$]*/, '')
.replace(/^\?&/, '?')
.replace(/&$/, '')
.replace(/^\?$/, '')
.replace(/&+/g, '&')
.replace(/\?&/, '?')
.replace(/\?$/, '') +
location.hash;
history.replaceState(null, window.name, href);
}
This regex removes any query parameter containing "code" and not just the OAuth authorization code itself.
For example:
'https://toto.com?totocode=toto'.replace(/code=[^&$]*/, '')
// Result: 'https://toto.com?toto'
As a result, our application loses query parameters that contain "code", even when they are unrelated to OAuth.
Expected behavior
We are unsure if this is the intended behavior. Our questions are:
- Should the regex be more restrictive to only target the "code" query parameter (without affecting others containing "code" as a substring)?
- If this is the expected behavior, is enabling preventClearHashAfterLogin the recommended workaround to handle query cleanup manually?
Thanks a lot for this library !