When I make a request to {{url}}/oauth/initiate/facebook?redirect=http://localhost:3000/oauth/callback/facebook&type=login, the & is encoded to &. If I reorder the parameters and put the type parameter first, then the request goes through fine.
I haven’t seen any browsers behave in this manner, and encoding used isn’t ideal, so I’m assuming it’s a bug.
After some more investigation, the issue is not on the server end, but in Postman, but it’s not an encoding issue like I had originally thought. The URL is actually being mutated and I’ve finally figured out the magic combination to cause the issue.
If you use a variable for your base route and have a URL as one of your query parameters, and you save the request, it mangles the request prior to sending it. If you use the full base route without using a variable it works fine, and if you don’t save the request it works fine, but once you save the request it starts acting oddly.
Example route: {{url}}/get?type=login&redirect=http://localhost:3000/oauth/callback/google
I’ve set {{url}} to our own test servers, postman-echo, and httpbin and the results are the same on all servers.
Here are the results from the postman-echo server using the example route: