From aea0c8f1f1bf8540feaa695536d185099d5e552a Mon Sep 17 00:00:00 2001
From: arne <noreply@null.arnes.space>
Date: Fri, 21 Nov 2025 07:28:08 +0100
Subject: [PATCH] Remove `?code=` parameter after fetching bearer token

This is to ensure that it's not stored in any bookmark. The parameter
only has a short validity, so it's mostly cosmetic, but the docs
[recommend treating it
securely](https://docs.joinmastodon.org/methods/oauth/#200-ok).

Unfortunately it will still show up in logs. We should consider
switching to `urn:ietf:wg:oauth:2.0:oob`.
---
 src/computersandblues/lodestone/app.cljs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/computersandblues/lodestone/app.cljs b/src/computersandblues/lodestone/app.cljs
index b91fc8c..42b54e8 100644
--- a/src/computersandblues/lodestone/app.cljs
+++ b/src/computersandblues/lodestone/app.cljs
@@ -134,7 +134,9 @@
                                                    :redirect_uri (:redirect_uri application)}))})
    (.then (fn [res]
             (let [bearer-token (-> res :body :access_token)
-                  application (assoc application :bearer_token bearer-token)]
+                  application (assoc application :bearer_token bearer-token)
+                  path (-> js/location .-pathname)]
+              (.replaceState js/history nil "" path) ; remove ?code= param
               (db/put! ::db/application application)
               application)))))