#107 : remove only Gotrue hash parameters from url after setting sess…

[tartard]

…ion from Url.

What kind of change does this PR introduce?

Fixes #107

What is the current behavior?

After setting session from url, gotrue-js removes all the url hash. This can be a problem if the app uses a hash-based router, this would automatically redirect the user at the root location '#/' . This might not be the desired behavior for the developer, and currently the developer has no control over this behavior.

What is the new behavior?

After setting session from url, gotrue-js removes only the Gotrue parameters from the hash. This doesn't change other things which might be in the hash, like the path of the router.

[DavraYoung]

Really waiting for this pr to be merged. My Github Pages application cannot be connected via OAuth2 because of this hash removal bug. Also, why don't gotrue itself use query params for this purpose?

[awalias]

thanks everyone for pitching in, we'll try and get this out asap

[kangmingtay]

hey @tartard and @sduduzog, thanks for taking the time to work on this PR. Unfortunately, i don't think this is the appropriate fix to enable your use-case with hash-based redirects in svelte.

@DavraYoung the tokens are placed behind a query fragment because gotrue follows an oauth2 protocol known as the implicit grant flow.

I've tried to reproduce the following cases with the correct redirect urls in the allow list:

1. https://project-ref.supabase.co/auth/v1/authorize?provider=google&redirect_to=http://localhost3000/#/password Redirected to: http://localhost3000/#. Note that Gotrue doesn't even include the /#/password in the query fragment during the redirect here. The redirected url initially contains the #access_token=..... fragments but not the /password path.
2. https://project-ref.supabase.co/auth/v1/authorize?provider=google&redirect_to=http://localhost3000/welcome Redirected to: http://localhost3000/welcome#. This is expected and correct.

Will be transfer this to the gotrue backlog.