fix(auth): redirect to original URL after login

Pass current path as ?next= when bouncing unauthenticated requests to /echo/login; after successful auth, JS reads and validates the param (must start with /echo/, not /echo/login) before redirecting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-29 13:38:27 +00:00
parent b08f039917
commit 38259f3cfd
2 changed files with 11 additions and 2 deletions
--- a/dashboard/login.html
+++ b/dashboard/login.html
@@ -252,7 +252,14 @@
                    // Browsers auto-follow 302, so a successful login surfaces
                    // here as a 2xx (workspace.html) or an opaqueredirect.
                    if (res.ok || res.type === 'opaqueredirect' || res.redirected) {
-                        var dest = res.url && res.redirected ? res.url : '/echo/workspace.html';
+                        // Redirect back to the page the user originally wanted,
+                        // passed as ?next= by the server. Validate it's a safe
+                        // relative /echo/ path to prevent open-redirect attacks.
+                        var params = new URLSearchParams(window.location.search);
+                        var next = params.get('next') || '';
+                        var dest = (next && /^\/echo\/[^/]/.test(next) && next.indexOf('/echo/login') !== 0)
+                            ? next
+                            : '/echo/workspace.html';
                        window.location.assign(dest);
                        return;
                    }