fix(oidc): navigate backend callbacks with full reload

[adityathebe]

resolves: flanksource/mission-control#3230

When Kratos reports an existing session, the login page used client-side routing for return_to. OIDC callback return paths are served by the backend through Next rewrites, so router.push could leave the browser on the callback URL without completing the flow.

Force a document navigation for /oidc/* return paths while keeping client-side navigation for normal app routes.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced authentication flow security by implementing improved validation of return-to URLs, preventing unauthorized navigation while ensuring secure user redirects after successful login completion.
  • Optimized OIDC authentication redirect behavior with improved session management capabilities, providing more reliable application navigation, better session state handling, and an enhanced user experience throughout the complete authentication process.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
aws-preview	Ready	Preview	Jun 15, 2026 3:28pm
flanksource-ui	Ready	Preview	Jun 15, 2026 3:28pm

[coderabbitai]

Warning

Review limit reached

@adityathebe, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 57 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 69bfbd64-757a-497b-8b8d-307b5edd2ba9

📥 Commits

Reviewing files that changed from the base of the PR and between c19f353 and 18e7d83.

📒 Files selected for processing (3)

• .github/workflows/test.yaml
• src/components/Authentication/Kratos/ory/errors.tsx
• src/components/Authentication/Kratos/ory/hooks.ts

Walkthrough

In both errors.tsx and hooks.ts, the session_already_available branch of handleGetFlowError is updated to sanitize return_to via sanitizeReturnTo and then split navigation: destinations beginning with /oidc/ use window.location.assign for a full browser navigation, while all other destinations continue using router.push.

Changes

OIDC session_already_available navigation fix

Layer / File(s)	Summary
Conditional full-page vs client-side routing on session_already_available src/components/Authentication/Kratos/ory/errors.tsx, src/components/Authentication/Kratos/ory/hooks.ts	Both files update handleGetFlowError so the session_already_available branch sanitizes return_to and routes /oidc/-prefixed targets through window.location.assign (full-page navigation), while all other targets continue using router.push.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: fixing OIDC navigation to use full-page reload instead of client-side routing for backend callbacks.
Linked Issues check	✅ Passed	Changes directly address issue #3230 by implementing full-page navigation for OIDC callbacks, allowing the backend to properly process callback URLs and complete authentication flow.
Out of Scope Changes check	✅ Passed	All changes are narrowly focused on distinguishing OIDC callback routing from regular routing, with no modifications to unrelated functionality or files beyond error handling.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/oidc-kratos-flow-fix

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/oidc-kratos-flow-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}