Skip to content

Strip HTTP Basic-Auth credentials from the URL#85

Merged
kcdragon merged 1 commit into
mainfrom
production-login-error
Jul 5, 2026
Merged

Strip HTTP Basic-Auth credentials from the URL#85
kcdragon merged 1 commit into
mainfrom
production-login-error

Conversation

@kcdragon

@kcdragon kcdragon commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

Loading production behind the pre-release Basic-Auth lock via a credentialed URL (https://user:pass@host) leaves the credentials in document.URL, so when Turbo calls history.replaceState() with the credential-free URL the browser throws a SecurityError that cascades and breaks login. This adds a strip-url-credentials Stimulus controller on <body> that detects credentials in location and redirects to the clean URL; the browser has already cached the auth, so the navigation stays authenticated and Turbo works.

🤖 Generated with Claude Code

Loading production via a credentialed URL (https://user:pass@host) leaves
the credentials in document.URL. Turbo passes the credential-free URL to
history.replaceState(), the browser treats the two as mismatched origins,
and throws a SecurityError that cascades and breaks login.

Add a Stimulus controller on <body> that detects credentials in location
and redirects to the clean URL; the browser has already cached the auth, so
the navigation stays authenticated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@kcdragon kcdragon merged commit 1191a24 into main Jul 5, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant