Use of history.pushState in createKindeClient.ts
https://github.dev/kinde-oss/kinde-auth-pkce-js/blob/main/src/createKindeClient.ts
handleRedirectToApp(...) calls
window.history.pushState({}, '', url); on line 258. Is there any chance that this could be changed to https://developer.mozilla.org/en-US/docs/Web/API/History/replaceState? The use of pushState(...) means that a history entry gets generated which means that if a user click the Back button in their browser after login, they end up on back on the URL which has the ?code=... query args, which get stripped back out by Kinde and redirects them forward again to the page they just tried to press Back on.MDN Web Docs
History: replaceState() method - Web APIs | MDN
The History.replaceState() method modifies the current
history entry, replacing it with the state object and
URL passed in the method parameters. This method is particularly useful
when you want to update the state object or URL of the current history entry in response
to some user action.
4 Replies
I raised this as an Issue in github: https://github.com/kinde-oss/kinde-auth-pkce-js/issues/56
GitHub
Bug: createKindeClient.ts creates an extra history entry · Issue #5...
Prerequisites I have searched the repository’s issues and Kinde community to ensure my issue isn’t a duplicate I have checked the latest version of the library to replicate my issue I have read the...
Hey @Martin great question and thanks for raising the issue on the repo. I will check in with the team member who take cares of the JS SDK and review it for you and also confirm your suggestion above would work well.
Hey @Martin , thanks for flagging this. I've responded on the issue as well, but putting here as well for discoverability. We can definitely update it to
replaceState but it would come with it's own caveats.
If we make it replaceState and the user clicks the back button they would return to the Kinde auth flow - however each login flow can only be run once for security, so they would end up seeing an error screen as that instance of the auth flow has already completed.
Just trying to understand the use case where do you anticipate the user is trying to access when they click the Back button?Thanks! I've replied on Github.