`getHashQueryParams` removes search and hash on iOS 16 WKWebView

[freeatnet]

Steps to reproduce

Environment: iOS 16.4.1 or 16.5 (iOS 17 isn't affected). Tested with our app launched inside an in-app browser (Telegram).

1. Have an app that uses @web3auth/[email protected] and @web3auth/[email protected] (which pulls in @toruslabs/[email protected] as a dep) and custom JWT
2. Initiate the user sign in by calling web3auth.connectTo(…) (code below) from a page URL that includes a query string and a hash/anchor.
3. Verify that the search and hash are still set when the user is redirected back.
4. Give web3auth a few moments to initialize the provider.
5. after getHashQueryParams is run, check the URL again.

Expected: window.location includes all details except web3auth details removed by getHashQueryParams Observed: window.location includes no search or hash attributes

Further triage

I couldn't quite pinpoint the bug, except that assigning search and hash on iOS 16 doesn't seem to have an effect if the original URL passed to new URL contains no search or hash.

The bug can be fixed by initializing cleanUrl to window.location.toString(),

-     const cleanUrl = new URL(window.location.origin + window.location.pathname);
+     const cleanUrl = new URL(window.location.toString());

I've patched the package directly on our side and will report if we see any ill side-effects.

Code

Calling for sign in:

    await web3auth.connectTo(WALLET_ADAPTERS.OPENLOGIN, {
      loginProvider: "jwt",
      extraLoginOptions: {
        id_token: token, // the JWT token
        verifierIdField: "sub", // same as your JWT Verifier ID
      },
      redirectUrl: window.location.toString(),
    });