Remove ?code= parameter after fetching bearer token

This is to ensure that it's not stored in any bookmark. The parameter only has a short validity, so it's mostly cosmetic, but the docs [recommend treating it securely](https://docs.joinmastodon.org/methods/oauth/#200-ok). Unfortunately it will still show up in logs. We should consider switching to `urn:ietf:wg:oauth:2.0:oob`.
2025-11-21 07:28:08 +01:00 · 2025-11-21 07:28:08 +01:00 · aea0c8f1f1
commit aea0c8f1f1
parent de2cf7f9c2
1 changed files with 3 additions and 1 deletions
--- a/src/computersandblues/lodestone/app.cljs
+++ b/src/computersandblues/lodestone/app.cljs
@ -134,7 +134,9 @@
                                                   :redirect_uri (:redirect_uri application)}))})
   (.then (fn [res]
            (let [bearer-token (-> res :body :access_token)
-                  application (assoc application :bearer_token bearer-token)]
+                  application (assoc application :bearer_token bearer-token)
+                  path (-> js/location .-pathname)]
+              (.replaceState js/history nil "" path) ; remove ?code= param
              (db/put! ::db/application application)
              application)))))