This was found by a customer and repro'ed by me. This is a hard-to-discover hang that happens in a CORS scenario when STORMPATH_CONFIG.ENDPOINT_PREFIX is not configured.

Repro branch: https://github.com/nbarbettini/StormpathAuth/tree/hang-repro/Client
This should get the sample client running, no server required:

npm install && bower install
gulp serve-dev

What's happening is this:

1. Because STORMPATH_CONFIG.ENDPOINT_PREFIX isn't pointing to the remote server, the call to /me in UserService.prototype.get is requesting localhost:3000/me, which succeeds and returns index.html
2. self.currentUser = new User(response.data.account || response.data) doesn't fail but stuffs index.html into currentUser
3. When a state change to /login is detected, this block causes an infinite loop because $user.currentUser.href never exists:

              $user.get().finally(function(){
                if($user.currentUser && $user.currentUser.href){
                  $state.go(config.defaultPostLoginState);
                } else {
                  $state.go(toState.name,toParams);
                }
              });

This could partially be solved by doing a sanity check in UserService.prototype.get:

            if (!response.headers('Content-Type').startsWith('application/json')) {
              op.reject(response);
              return op.promise;
            }

This doesn't totally solve the problem, though, because finally is ignoring whether the request succeeds or fails.

Configuring STORMPATH_CONFIG.ENDPOINT_PREFIX fixes the problem, but I'm reporting this because I think the failure mode could be better in this case - hanging is hard to diagnose.