Skip to content

fix: preserve escape hatch through login redirect #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
field123 merged 1 commit into from
Mar 9, 2026
Merged

fix: preserve escape hatch through login redirect #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions platform/wab/src/wab/client/ep/dashboard-restriction.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,18 @@ describe("isDashboardRestricted", () => {
});
expect(isDashboardRestricted(config, "?adminDashboard=true")).toBe(false);
});

it("returns false when escape hatch is inside continueTo param", () => {
const config = makeAppConfig({ hideDashboardViews: true });
expect(
isDashboardRestricted(config, "?continueTo=%2F%3FadminDashboard%3Dtrue")
).toBe(false);
});

it("returns true when continueTo has no query string", () => {
const config = makeAppConfig({ hideDashboardViews: true });
expect(isDashboardRestricted(config, "?continueTo=%2F")).toBe(true);
});
});

describe("redirectToDashboard", () => {
Expand Down Expand Up @@ -213,4 +225,14 @@ describe("shouldRedirectAuthRoute", () => {
shouldRedirectAuthRoute(restrictedConfig, "/login/callback", "")
).toBe(true);
});

it("does not redirect when escape hatch is inside continueTo param", () => {
expect(
shouldRedirectAuthRoute(
restrictedConfig,
"/login",
"?continueTo=%2F%3FadminDashboard%3Dtrue"
)
).toBe(false);
});
});
15 changes: 14 additions & 1 deletion platform/wab/src/wab/client/ep/dashboard-restriction.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,20 @@ import { DevFlagsType } from "@/wab/shared/devflags";
function hasEscapeHatch(appConfig: DevFlagsType, locationSearch: string): boolean {
const paramName = appConfig.adminDashboardOverrideParam || "adminDashboard";
const params = new URLSearchParams(locationSearch);
return params.get(paramName) === "true";
if (params.get(paramName) === "true") {
return true;
}
// Check inside continueTo param — the escape hatch gets encoded there
// when redirecting unauthenticated users to the login page.
const continueTo = params.get("continueTo");
if (continueTo) {
const qIdx = continueTo.indexOf("?");
if (qIdx !== -1) {
const innerParams = new URLSearchParams(continueTo.substring(qIdx));
return innerParams.get(paramName) === "true";
}
}
return false;
}

/** True when dashboard routes should be locked down. */
Expand Down