diff --git a/app/javascript/controllers/strip_url_credentials_controller.js b/app/javascript/controllers/strip_url_credentials_controller.js new file mode 100644 index 0000000..4904ae8 --- /dev/null +++ b/app/javascript/controllers/strip_url_credentials_controller.js @@ -0,0 +1,17 @@ +import { Controller } from "@hotwired/stimulus" + +// Strips HTTP Basic-Auth credentials from the URL (e.g. https://user:pass@host). +// The user:pass@ form makes document.URL mismatch the credential-free URL Turbo +// passes to history.replaceState(), throwing a SecurityError that breaks the page. +// The browser has already cached the credentials, so the clean navigation below +// stays authenticated. +export default class extends Controller { + connect() { + const url = new URL(window.location.href) + if (url.username || url.password) { + url.username = "" + url.password = "" + window.location.replace(url.toString()) + } + } +} diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index e47e452..70ee5a4 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -27,7 +27,7 @@ <%= javascript_importmap_tags %> - +