Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Claim redirection functions should return full urls

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-11-28

Context and Problem Statement#

We have decided to use configurable callbacks to redirect on claim validation success/failure (see here). These functions determine where we redirect the user by returning a string. We have to decide if this string is a full URL or just a path

Considered Options#

  • Path
  • Full URL

Decision Outcome#

The return value should be interpreted as a full URL (with the option to return just the path for local redirections):

  • This doesn't matter if there is no session sharing between subdomains. This is the case for most sites.
  • It makes sense for onFailure to redirect to the website domain in many cases (e.g: email verification check failing)
  • There are cases, where onFailure doesn't point to the website domain, e.g.: the access denied page is specific to the app/subdomain we are currently on
  • onSuccess is even more likely to redirect to a domain that doesn't match the websitedomain (e.g: continue browsing after email verification/2FA on websitedomain)
  • Even if we could make onFailure redirect only to the website domain, doing the same to onSuccess would block too many usecases (or cause awkward double redirections).
  • Making them inconsistent would be bad.