fix(sso): url-encode error query value in OIDC callback redirect (#9722)

This commit is contained in:
Taesu
2026-05-22 02:52:32 +00:00
committed by GitHub
parent 43cc49c640
commit f47aa4aa96
3 changed files with 13 additions and 2 deletions
@@ -0,0 +1,5 @@
---
"@better-auth/sso": patch
---
SSO OIDC callback now URL-encodes the `error` query value when redirecting on `handleOAuthUserInfo` errors (e.g. `?error=signup+disabled` instead of `?error=signup disabled`). Multi-word error values previously produced broken URLs with raw whitespace.
+4 -1
View File
@@ -588,7 +588,10 @@ describe("SSO disable implicit sign in", async () => {
"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
);
const { callbackURL } = await simulateOAuthFlow(res.url, headers);
expect(callbackURL).toContain("/api/auth/error?error=signup disabled");
expect(callbackURL).not.toContain("error=signup disabled");
const url = new URL(callbackURL);
expect(url.pathname).toBe("/api/auth/error");
expect(url.searchParams.get("error")).toBe("signup disabled");
});
it("should create user with SSO provider when sign ups are disabled but sign up is requested", async () => {
+4 -1
View File
@@ -1693,7 +1693,10 @@ async function handleOIDCCallback(
throw e;
}
if (linked.error) {
throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
const baseURL = errorURL || callbackURL;
const params = new URLSearchParams({ error: linked.error });
const sep = baseURL.includes("?") ? "&" : "?";
throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
}
const { session, user } = linked.data!;