Skip to content

Google Sign-In Redirects to localhost with Access Token in URL #49

New issue
New issue
Open
#94
#77
Open
Google Sign-In Redirects to localhost with Access Token in URL#49
#94
#77
Assignees
copilot-swe-agent
@vishnukothakapu

Description

@vishnukothakapu
vishnukothakapu
opened on Oct 13, 2025

Description:

When trying to sign in using Google authentication, the flow completes on the Google side, but instead of redirecting correctly, it sends the user to a URL like http://localhost:3000/#access_token=... with the token in the hash fragment.

Steps to Reproduce:

  1. Open the app.
  2. Click Sign in with Google.
  3. Select a Google account and click Continue.
  4. The page redirects to:
    http://localhost:3000/#access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6InVPTDl5aWN0NWU3bHV5UDkiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2pibmNjYWdmanhoZ3BueXNvampnLnN1cGFiYXNlLmNvL2F1dGgvdjEiLCJzdWIiOiJiZmFmYjZmYS0xOTNjLTQ5YzItYWMxYy0wNmQ1ZWE0ODI2NzYiLCJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNzYwMzkyNDc5LCJpYXQiOjE3NjAzODg4NzksImVtYWlsIjoiZGV2Zmxvdy5wcm8yN0BnbWFpbC5jb20iLCJwaG9uZSI6IiIsImFwcF9tZXRhZGF0YSI6eyJwcm92aWRlciI6Imdvb2dsZSIsInByb3ZpZGVycyI6WyJnb29nbGUiXX0sInVzZXJfbWV0YWRhdGEiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0pJZGhPUnFNTUotc3M0XzZwbjA0QzJyTkFsWjBtZ0VEVjk1Tkg0ZUppLVBFLU81UT1zOTYtYyIsImVtYWlsIjoiZGV2Zmxvdy5wcm8yN0BnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZnVsbF9uYW1lIjoiRGV2RmxvdyBQcm8iLCJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJuYW1lIjoiRGV2RmxvdyBQcm8iLCJwaG9uZV92ZXJpZmllZCI6ZmFsc2UsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS9BQ2c4b2NKSWRoT1JxTU1KLXNzNF82cG4wNEMyck5BbFowbWdFRFY5NU5INGVKaS1QRS1PNVE9czk2LWMiLCJwcm92aWRlcl9pZCI6IjEwOTIzNTQ2MDgxOTA2MzE3Nzg2MiIsInN1YiI6IjEwOTIzNTQ2MDgxOTA2MzE3Nzg2MiJ9LCJyb2xlIjoiYXV0aGVudGljYXRlZCIsImFhbCI6ImFhbDEiLCJhbXIiOlt7Im1ldGhvZCI6Im9hdXRoIiwidGltZXN0YW1wIjoxNzYwMzg4ODc5fV0sInNlc3Npb25faWQiOiIxZDI2MmU4ZC0yMmU2LTRjNmYtODc3Ny1mNzYxMTQ3NGY5MTAiLCJpc19hbm9ueW1vdXMiOmZhbHNlfQ.o4DFOecwpW5MhmSzXmipYgYtO9WPyz9-Zdw93BGru2Y&expires_at=1760392479&expires_in=3600&provider_token=ya29.a0AQQ_BDQPOSY8rLNqLq1aDNC7FRe_VKzEdsnrVHsDYZUm7gp3cjw0D-6aUfrc1y5EeMRZikfruSv06KiYOD4rF2U348FusO43Jnr0Q2Te6cFOSnvKkosooDf13MpddglHG_vfV_dqkBkihnDvBkVh-zRRaOKsid27j9VzIwCDnrSWDIOsK7SXGrYxZ0F8sGc83xQCNhMaCgYKAVsSARMSFQHGX2MiTE99LW6GqLyjQ0w0PhBp2w0206&refresh_token=yhnwl6apo7jy&token_type=bearer

Expected Behavior:

  • The user should be redirected to the app’s production/dashboard page.
  • Access token should be handled securely (not exposed in URL fragment).

Actual Behavior:

  • Redirect goes to localhost:3000 (likely a development URL).
  • Access token appears in the URL fragment, which could be a security risk.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions