From fc5e097521c2b4dc26d4bd87780e3ebc5936d79f Mon Sep 17 00:00:00 2001 From: Sarthak Date: Wed, 17 Jun 2026 08:50:25 +0530 Subject: [PATCH] fix(auth): preserve state param when opening browser on Windows On Windows the login URL was launched via `cmd /c start `. cmd.exe treats `&` as a command separator, so the URL was truncated at the first `&` and the `state` query parameter (and `redirect_uri`) was dropped. The browser opened a stateless auth URL and the callback then failed the `state != expectedState` check, breaking the Windows login flow. Escape `&` as `^&` so the full URL reaches the browser, and pass an empty title argument to `start` so the URL is never mistaken for a window title. macOS (`open`) and Linux (`xdg-open`) are unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) --- pkg/auth/auth.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index d596d42..10454d3 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -316,7 +316,11 @@ func generateRandomState() (string, error) { func openBrowser(targetURL string) error { switch runtime.GOOS { case "windows": - return exec.Command("cmd", "/c", "start", targetURL).Start() + // cmd.exe treats & as a command separator, which truncates the URL and + // drops query parameters such as `state`. Escape it as ^& so the full + // URL reaches the browser. The empty title arg ("") keeps `start` from + // mistaking the URL for a window title. + return exec.Command("cmd", "/c", "start", "", strings.ReplaceAll(targetURL, "&", "^&")).Start() case "darwin": return exec.Command("open", targetURL).Start() default: // Linux and others