Seeing strange data included in url returned from TrelloPowerup.iframe().signUrl(...)

Mattlassian · March 30, 2023, 2:36pm

A power-up user reported to me that my server is returning a 414 “Request URI too large” error when opening my power-up. I’ve only had one user report this. The issue seems to be that signUrl is appending a bunch of weird data to the URL, making it very long. I’ve made no changes to my code prior to this problem starting.

So I call t.signUrl('http://foo.com/#')and what’s returned is http://foo.com/# plus the data below URL encoded.

This is the data that is getting appended to the URL (I’ve decoded the data so it’s readable, it was URL encoded).

{"secret":"REDACTED","context":{"version":"build-185641","member":"REDACTED","permissions":{"board":"write","organization":"write"},"organization":"REDACTED","initialTheme":"light","theme":null,"serializedTokens":"
 html[data-color-mode="light"][data-theme~="light:light"],
 html[data-color-mode="dark"][data-theme~="dark:light"] {
   --ds-text: #172B4D;
   --ds-text-accent-red: #AE2A19;
   --ds-text-accent-red-bolder: #601E16;
   --ds-text-accent-orange: #974F0C;
   --ds-text-accent-orange-bolder: #5F3811;
   --ds-text-accent-yellow: #7F5F01;
 [etc...removed the rest for brevity]

AdamCao · April 1, 2023, 11:42pm

I reported this issue to Trello because it was breaking t.authorize and they reverted the change: Trello Status - Power-Up authorization is degraded or not working for some Power-Ups

For some reason, they thought injecting 9000 characters worth of CSS variables as query string parameters for their new theme-ing / UI modernization update would be a good idea.

PeteFowles · April 18, 2023, 1:08pm

For anyone else seeing strange behaviour on authorize this thread helped us track down our issue.

The fix above made by Trello was to drop all parameters from the default return url on the Authorize function. This change may have had some undesired effects for some powerups (like us) who were relying on the return url matching certain params on the current page.

See: https://p.trellocdn.com/changelogs/power-up-js.html for the specific change containing Trello’s fix.

Our resolution was to explicitly pass a return url to the auth function rather than rely on the default. This option is not documented on the powerup client library documentation or on the client-js-reference guide but is an option in the REST API docs. See https://developer.atlassian.com/cloud/trello/guides/rest-api/authorization/

The JS option name is “returnUrl” and any of your own explicit url parameters won’t be stripped.