signOut({ returnTo }) uses client-side navigation instead of full page load #19
Description
Describe the bug
When calling signOut with a returnTo that is an absolute URL pointing back to the current site (e.g. https://app.example.com/after-logout), the client code classifies the redirect as “internal” and calls TanStack Router’s navigate instead of forcing a full page load. This breaks the WorkOS logout round-trip because the SPA intercepts navigation instead of redirecting to the external logout.
This also results in a nonsensical URL since the absolute URL is treated as a relative one. The redirect tries to load a page like:
https://app.example.com/https://api.workos.com/user_management/sessions/logout?session_id=session_0123456789&return_to=https%3A%2F%2Fapp.example.com%2Fafter-logout
This is caused by the handler's check for whether the returned redirect should be external or not:
// Check if external URL (WorkOS logout) or internal route
const isExternal = location.startsWith('http') && !location.includes(window.location.host);
The problem is that the returnTo parameter contains the name of the current host and so the handler erroneously marks it as an internal redirect even though the actual location points to WorkOS servers.
Expected behavior
The sign out should redirect to the AuthKit external logout and then return back to the application when finished.
Desktop (please complete the following information):
- OS: macOS
- Browser chrome
- authkit-tanstack-react-start version 0.2.0
- TanStack Start version 1.134.4
Additional context
Setting the returnTo URL dynamically is needed to support preview branches where each preview is hosted on a different subdomain and logging out should return to the same preview.
I was able to work around this by creating a custom hook that duplicated the sign out logic but replaced the condition with:
const isExternal = !location.startsWith('/');
This meets my needs but doesn't handle the case where a redirect to the same site with an absolute URL is intended to be handled by an internal router navigation. However, I'm not sure if that is a valid use case or not.