Use replaceState for better browser history experience

[selaux]

Rationale: Currently, when we get to the login callback, the callback url with and without the hash will be counted as two different browser history entries. This leads to the user not having the possibility to navigate back as the history entry that includes the hash will always trigger the authentication procedure again. Additionally I don't like the idea of tokens appearing in my browser history, because this way an attacker could steal them from there (although they will only be valid for a limited amount of time).

Implementation: Replace window.location.hash = '' with window.history.replaceState( so it will not create an additional history entry, but replace the existing one that includes the hash.

What do you think?

[luisrudge]

I don't see two history entries when I log in on Chrome. 🤔 What browser are you testing?

[selaux]

Tested on Firefox and Chrome, but maybe I didn't describe it correctly and maybe this is a special case that we have. I will try to build a minimal example to showcase the issue.

[selaux]

Okay, so you can find the minimal example here. You are right, it actually works in Chrome and some other Browsers, but I tested in Firefox and there the issue appears.

Successful Login: Login with 'test@test.te' and 'Test1234'

After login it will redirect you to this page.

• Expected History:
  • Either: Login Page, this page
  • Or: Login Page, Login Callback without hash, this page
  • Or: Login Callback without hash, this page (this is the result in Chrome, IE11)
• Got: Login Page, Login Callback with hash, Login Callback without hash, this page (tested in Firefox, Safari)

I hope this makes things more clear and you can reproduce.

[luisrudge]

Yeah. Thanks for the PR!

[selaux]

Cool, thank you!

[selaux]

Thinking back on it you might also need to consider browser support. E.g. IE9 does not support this, for the browsers we support its ok.

[luisrudge]

I saw that, but we don't support IE9, so that's ok