From ddde7ceab2491a1f733f849986d6b3412643a2c3 Mon Sep 17 00:00:00 2001 From: Paul van Brenk <5273975+paulvanbrenk@users.noreply.github.com> Date: Wed, 18 Mar 2026 16:57:16 -0400 Subject: [PATCH] fix: stop passing returnUrl as query param in Stytch redirect URLs Stytch requires exact match on redirect URLs including query params, which breaks OAuth login when returnUrl is appended. Store the return URL in localStorage instead and read it back after authentication. Co-Authored-By: Claude Opus 4.6 (1M context) --- patchnotes-web/src/auth/stytch.ts | 8 ++++---- patchnotes-web/src/pages/Authenticate.tsx | 5 ++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/patchnotes-web/src/auth/stytch.ts b/patchnotes-web/src/auth/stytch.ts index 460d7a72..3f4532c0 100644 --- a/patchnotes-web/src/auth/stytch.ts +++ b/patchnotes-web/src/auth/stytch.ts @@ -22,10 +22,10 @@ if (import.meta.env.DEV) { } export function getStytchLoginConfig(returnUrl?: string) { - const base = `${window.location.origin}/authenticate` - const redirectURL = returnUrl - ? `${base}?returnUrl=${encodeURIComponent(returnUrl)}` - : base + if (returnUrl) { + localStorage.setItem('stytch_return_url', returnUrl) + } + const redirectURL = `${window.location.origin}/authenticate` return { products, diff --git a/patchnotes-web/src/pages/Authenticate.tsx b/patchnotes-web/src/pages/Authenticate.tsx index 1f1dd9fe..99386683 100644 --- a/patchnotes-web/src/pages/Authenticate.tsx +++ b/patchnotes-web/src/pages/Authenticate.tsx @@ -12,7 +12,10 @@ export function Authenticate() { const { token, tokenType, returnUrl } = useMemo(() => { const params = new URLSearchParams(window.location.search) - const raw = params.get('returnUrl') + // Check localStorage first, then fall back to query param for backwards compat + const stored = localStorage.getItem('stytch_return_url') + localStorage.removeItem('stytch_return_url') + const raw = stored ?? params.get('returnUrl') return { token: params.get('token'), tokenType: params.get('stytch_token_type'),