fix: resolve [object Object] in redirect URL and prevent query param leakage (#2338)

- Convert location.search object to query string in app route beforeLoad
- Use redirect({ href: ... }) instead of redirect({ to: ... }) in callback
  to prevent callback query params from leaking to destination URL

Fixes issue where navigating to checkout without login resulted in
URLs like /auth?redirect=/app/checkout[object Object] and after login
the callback params (code, scheme, redirect) were preserved in the
destination URL.

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: yujonglee <[email protected]>

Author: devin-ai-integration[bot]

apps/web/src/routes/_view/app/route.tsx

@@ -6,11 +6,15 @@ export const Route = createFileRoute("/_view/app")({
   beforeLoad: async ({ location }) => {
     const user = await fetchUser();
     if (!user) {
+      const searchStr =
+        Object.keys(location.search).length > 0
+          ? `?${new URLSearchParams(location.search as Record<string, string>).toString()}`
+          : "";
       throw redirect({
         to: "/auth",
         search: {
           flow: "web",
-          redirect: location.pathname + location.search,
+          redirect: location.pathname + searchStr,
         },
       });
     }

apps/web/src/routes/_view/callback/auth.tsx

@@ -23,7 +23,7 @@ export const Route = createFileRoute("/_view/callback/auth")({
       const { error } = await supabase.auth.exchangeCodeForSession(search.code);
 
       if (!error) {
-        throw redirect({ to: search.redirect || "/app/account" });
+        throw redirect({ href: search.redirect || "/app/account" });
       } else {
         console.error(error);
       }
@@ -86,7 +86,7 @@ function Component() {
 
   useEffect(() => {
     if (search.flow === "web") {
-      throw redirect({ to: search.redirect || "/app/account" });
+      throw redirect({ href: search.redirect || "/app/account" });
     }
 
     if (