fix(admin): prevent admin basepath from being prepended to non-admin URLs#1720
Conversation
🦋 Changeset detectedLatest commit: 6b24b44 The changes in this PR will be included in the next version bump. This PR includes changesets to release 16 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@emdash-cms/admin
@emdash-cms/auth
@emdash-cms/auth-atproto
@emdash-cms/blocks
@emdash-cms/cloudflare
@emdash-cms/contentful-to-portable-text
emdash
create-emdash
@emdash-cms/gutenberg-to-portable-text
@emdash-cms/plugin-cli
@emdash-cms/plugin-types
@emdash-cms/registry-client
@emdash-cms/registry-lexicons
@emdash-cms/sandbox-workerd
@emdash-cms/x402
@emdash-cms/plugin-ai-moderation
@emdash-cms/plugin-atproto
@emdash-cms/plugin-audit-log
@emdash-cms/plugin-color
@emdash-cms/plugin-embeds
@emdash-cms/plugin-field-kit
@emdash-cms/plugin-forms
@emdash-cms/plugin-webhook-notifier
commit: |
There was a problem hiding this comment.
This is a focused, correct fix for the OAuth login-button regression. The approach is sound: KumoRouterLink was treating every root-absolute path as an in-SPA TanStack route, so non-admin /_emdash/* URLs like the OAuth endpoints got the admin basepath prepended. Returning "" from normalizeAdminHref for those paths forces KumoRouterLink to render a plain <a> tag, which is exactly what external-facing/EmDash API URLs need.
What I checked:
- The diff and full
App.tsx;normalizeAdminHrefis only consumed byKumoRouterLinkand the new placement correctly handles/_emdash/admin/*before falling through to the non-admin/_emdash/guard. - The OAuth button components (
packages/core/src/auth/providers/google-admin.tsx,github-admin.tsx) useLinkButton href="/_emdash/api/auth/oauth/..."through Kumo, confirming the broken path described in the PR. router.tsxhardcodesbasepath: "/_emdash/admin", matching theADMIN_BASEPATHconstant inApp.tsx, so the hardcoded check is consistent with the rest of the admin package.- The new unit test covers the key cases: admin basepath stripping, query/hash handling, non-admin
/_emdash/paths, root-relative admin routes, and external/protocol/mailto URLs. - A changeset is present and properly scoped to
@emdash-cms/adminas a patch.
I noted a possible minor improvement—the test imports the helper through App.tsx, which pulls in the whole admin module graph, but the function is pure and import-time side effects in this file are safe, so this is not a blocker. Otherwise no logic bugs, security issues, or AGENTS.md convention violations. LGTM.
|
Tested this against a real deployed EmDash site and the fix holds up. Environment checked:
What I verified:
Local/project gates run during the PR-equivalent deployment:
This covers real-site admin/OAuth behavior that the bot cannot verify. From triage, this looks ready for maintainer review/merge. |
What does this PR do?
Fixes a regression from #398 where OAuth provider login buttons (Google, GitHub) on the admin login page link to
/_emdash/admin/_emdash/api/auth/oauth/googleinstead of/_emdash/api/auth/oauth/google, causing a404.Root cause: In KumoRouterLink (the component bridging Kumo's LinkButton to TanStack Router), normalizeAdminHref returned non-admin /_emdash/* paths unchanged. These were then passed to TanStack Router's , which prepended the admin basepath /_emdash/admin.
Fix: normalizeAdminHref now returns "" for paths outside the admin basepath, causing KumoRouterLink to render a plain tag instead of a router . This also corrects the behavior for any non-admin absolute path used with LinkButton.
Closes #1671
Type of change
Checklist
pnpm typecheckpassespnpm lintpassespnpm testpasses (or targeted tests for my change)pnpm formathas been runmessages.pochanges except in translation PRs — a workflow extracts catalogs on merge tomain.AI-generated code disclosure
Screenshots / test output