fix(url): strip leftover query string once signed in

The pre-login ?access=requested (and ?verify/?reset) lingered in the address bar
after login. Strip the query string on auth (the logged-in app reads nothing from
the URL); Welcome still reads its params while logged out. stripUrlParams now
preserves history.state so it's safe to call after the in-app page stamp.
This commit is contained in:
npeter83 2026-06-26 01:13:26 +02:00
parent 04d3367c88
commit de58ded923
2 changed files with 13 additions and 5 deletions

View file

@ -234,8 +234,8 @@ export default function App() {
}, []); // eslint-disable-line react-hooks/exhaustive-deps
// In-app Back/Forward: stamp the initial entry with the current page, then sync `page`
// from history.state on popstate. Runs after the strip-params effect above (which resets
// history.state to null), so the initial stamp isn't clobbered.
// from history.state on popstate. (stripUrlParams preserves history.state, so this stamp
// survives a later query-string strip.)
useEffect(() => {
window.history.replaceState(
{ ...window.history.state, sfPage: page },
@ -288,6 +288,13 @@ export default function App() {
refetchInterval: (query) => (query.state.data ? 60_000 : false),
});
// Once signed in, drop any leftover query string from the pre-login flow (e.g.
// ?access=requested, ?verify, ?reset). The logged-in app reads nothing from the URL, so the
// address bar stays clean. Gated on auth so the logged-out Welcome page still reads its params.
useEffect(() => {
if (meQuery.data) stripUrlParams();
}, [meQuery.data?.id]); // eslint-disable-line react-hooks/exhaustive-deps
// Any request that 401s means the session ended server-side. If we were signed in (cached
// `me` exists), reload to the login page at once (option 2 — also covers any click that hits
// the API). Guarded on cached `me` so the public login page's own /api/me 401 can't loop.