This repository was archived by the owner on Sep 8, 2025. It is now read-only.
This repository was archived by the owner on Sep 8, 2025. It is now read-only.
Double encoding of URL query string when using redirect_to in sign_in_with_oauth #246
Description
Bug report
Describe the bug
I'm trying to use the redirect_to option when authorizing with provider in sign_in_with_oauth but the URL str value is encoded twice:
- from http://localhost:8000/user/
- to http%3A//localhost%3A8000/user/
- and finally the request to http%253A%2F%2Flocalhost%253A8000%2Fuser%2F
This is creating 2 issues, the redirect_to option is not working because it's not matching the allowed redirect urls from Supabase and second, the redirect url is incorrect.
To Reproduce
- Sign in with github or any provider and send a redirect_to value
provider = "github"
redirect_to = "http://localhost:8000/user/"
supabase.auth.sign_in_with_oauth({
"provider": provider,
"options": {
"redirect_to": redirect_to
}
})-
We can debug the value from the _get_url_for_provider function in https://github.com/supabase-community/gotrue-py/blob/3ec751bbc97f6917fd7c3aace24dfb67e23efbda/gotrue/_sync/gotrue_client.py#L825-L833
-
at the start of the function the values are:
provider = "github"
params = {'redirect_to': 'http://localhost:8000/user/'}- after each
quote(v)the params are encoded:
https://github.com/supabase-community/gotrue-py/blob/3ec751bbc97f6917fd7c3aace24dfb67e23efbda/gotrue/_sync/gotrue_client.py#L830-L831
params = {'redirect_to':'http%3A//localhost%3A8000/user/', 'provider':'github'}- then
urlencode(params)encodes all params again:
https://github.com/supabase-community/gotrue-py/blob/3ec751bbc97f6917fd7c3aace24dfb67e23efbda/gotrue/_sync/gotrue_client.py#L832-L833
query = 'redirect_to=http%253A%2F%2Flocalhost%253A8000%2Fuser%2F&provider=github'
return f"{self._url}/authorize?{query}"
return f"{self._url}/authorize?redirect_to=http%253A%2F%2Flocalhost%253A8000%2Fuser%2F&provider=github"⚠ Note: I'm using the _sync client, but the same steps are in the _async.