mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-19 21:00:40 +08:00
3c60b6923e
On the code-return hop of the nested cross-domain handshake, the constructor schedules callOAuthCallback before _maybeHandleNestedCrossDomainAuth. The former synchronously strips code+state from the URL (history.replaceState) before starting its token exchange, so the latter's 'a real OAuth callback wins' guard read an already-stripped URL, decided no callback was happening, and bounced back to the source domain with fresh handoff params - cancelling the in-flight exchange and restarting the whole redirect chain. Users saw 5-8+ redirects ping-ponging between their app and the hosted components site before the race happened to resolve. Capture the URL at construction time and let the nested handler consult it in addition to the live URL, so a stripped callback still counts as a callback. |
||
|---|---|---|
| .. | ||
| cli | ||
| dashboard-ui-components | ||
| js | ||
| next | ||
| react | ||
| sc | ||
| shared | ||
| tanstack-start | ||
| template | ||
| ui | ||