Merge pull request #7099 from Countly/ar2rsawseen/master2

ar2rsawseen · web-flow · commit e1f816f0642c · 2025-12-19T16:26:23.000+02:00
Persistently store hash in session storage to preserve it across oauth
diff --git a/frontend/express/views/dashboard.html b/frontend/express/views/dashboard.html
@@ -17,6 +17,41 @@
     <script><%- javascript %></script>
 	<link rel="icon" type="image/png" href="<%- cdn %><%- countlyFavicon %>">
     <script type="text/javascript">
+        // Restore URL hash preserved during OAuth2 authentication flow
+        // The hash was saved in sessionStorage on the login page before OAuth2 redirect.
+        // After successful authentication and redirect back to the dashboard, we restore it here
+        // so users land on the page they originally intended to visit (e.g., #/analytics/sessions).
+        // NOTE: The key 'countly_oauth_return_hash' must match the key used in login.html
+        (function() {
+            var OAUTH_HASH_KEY = 'countly_oauth_return_hash';
+            try {
+                var savedHash = sessionStorage.getItem(OAUTH_HASH_KEY);
+                if (savedHash && savedHash.length > 1) {
+                    // Clear the saved hash immediately to prevent reuse
+                    sessionStorage.removeItem(OAUTH_HASH_KEY);
+                    
+                    // Validate hash format: must start with # and contain only safe URL characters
+                    // Allow: alphanumeric, forward slash, hyphen, underscore, dot, question mark, equals, ampersand, percent
+                    var hashPattern = /^#[a-zA-Z0-9\/_\-\.?=&%]+$/;
+                    
+                    if (hashPattern.test(savedHash)) {
+                        // Additional check: ensure no javascript: or data: protocol
+                        var lowerHash = savedHash.toLowerCase();
+                        if (lowerHash.indexOf('javascript:') === -1 && 
+                            lowerHash.indexOf('data:') === -1 && 
+                            lowerHash.indexOf('<script') === -1) {
+                            // Restore the hash to the current URL
+                            if (window.location.hash !== savedHash) {
+                                window.location.hash = savedHash;
+                            }
+                        }
+                    }
+                }
+            } catch(e) {
+                // Ignore if sessionStorage is not available
+            }
+        })();
+        
         //no one should really need this
         window.eval = function(){
             console.log("eval not available");
diff --git a/frontend/express/views/login.html b/frontend/express/views/login.html
@@ -114,6 +114,26 @@ <h1 style="font-weight: 500;" id="header" data-test-id="login-sign-in" data-loca
 	<script>
         var countlyTitle = "<%- countlyTitle %>";
 		var resetResultMessage = "<%= message %>";
+		
+		// Preserve URL hash for OAuth2 redirect flow
+		// During OAuth2 authentication, the user is redirected to an external provider and back,
+		// which causes the URL hash (e.g., #/analytics/sessions) to be lost.
+		// We store it here in sessionStorage so it can be restored on the dashboard page
+		// after successful authentication, ensuring users land on their intended page.
+		// NOTE: The key 'countly_oauth_return_hash' must match the key used in dashboard.html
+		(function() {
+			var OAUTH_HASH_KEY = 'countly_oauth_return_hash';
+			var hash = window.location.hash;
+			if (hash && hash.length > 1) {
+				// Store hash in sessionStorage to preserve it through OAuth2 redirect
+				try {
+					sessionStorage.setItem(OAUTH_HASH_KEY, hash);
+				} catch(e) {
+					// Ignore if sessionStorage is not available
+				}
+			}
+		})();
+		
 		$(document).ready(function() {
 			<% if (message && message.length >0){ %>
 				$('.cly-vue-notification__alert-box').show();
