[6.x] Fix login redirects (#14560)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

resources/js/components/global-header/UserDropdown.vue

@@ -4,7 +4,7 @@ import { Avatar, Button, DropdownHeader, Badge, Dropdown, DropdownMenu, Dropdown
 import useStatamicPageProps from '@/composables/page-props.js';
 
 const { supportUrl } = useStatamicPageProps();
-const logoutUrl = `${cp_url('auth/logout')}?redirect=${cp_url('/')}`;
+const logoutUrl = `${cp_url('auth/logout')}?redirect=${cp_url('auth/login')}`;
 const user = Statamic.user;
 const isImpersonating = computed((() => user.is_impersonating));
 </script>

resources/js/pages/auth/Login.vue

@@ -15,7 +15,6 @@ const props = defineProps([
     'passkeyVerifyUrl',
     'oauthEnabled',
     'providers',
-    'referer',
     'submitUrl',
     'forgotPasswordUrl',
 ])
@@ -42,11 +41,11 @@ const submit = () => {
             errors.value = {};
         },
         onSuccess: (page) => {
-			if (page.component === 'auth/two-factor/Challenge') {
-				return;
-			}
+            if (page.component === 'auth/two-factor/Challenge') {
+                return;
+            }
 
-	        window.location.href = props.referer;
+            window.location.href = page.url;
         },
         onError: () => processing.value = false
     });

resources/js/pages/auth/Unauthorized.vue

@@ -2,7 +2,6 @@
 import Head from '@/pages/layout/Head.vue';
 import Outside from '@/pages/layout/Outside.vue';
 import { AuthCard, Button } from '@ui';
-import { Link } from '@inertiajs/vue3';
 
 defineOptions({ layout: Outside });
 
@@ -19,7 +18,7 @@ defineProps(['isLoggedIn', 'loginUrl', 'logoutUrl']);
     >
         <div class="flex justify-center">
             <Button
-                :as="Link"
+                as="a"
                 variant="primary"
                 :href="isLoggedIn ? logoutUrl : loginUrl"
                 class="w-full"

src/Exceptions/AuthenticationException.php

@@ -22,6 +22,6 @@ protected function handleRedirect()
                 : abort(401);
         }
 
-        return redirect()->route('statamic.cp.login');
+        return redirect()->guest(route('statamic.cp.login'));
     }
 }

src/Http/Controllers/CP/Auth/LoginController.php

@@ -15,7 +15,6 @@
 use Statamic\Http\Middleware\CP\RedirectIfAuthorized;
 use Statamic\OAuth\Provider;
 use Statamic\Statamic;
-use Statamic\Support\Str;
 
 use function Statamic\trans as __;
 
@@ -43,7 +42,6 @@ public function showLoginForm(Request $request)
             'oauthEnabled' => $oauthEnabled,
             'emailLoginEnabled' => $emailLoginEnabled,
             'providers' => $oauthEnabled ? $this->oauthProviders() : [],
-            'referer' => $this->getReferrer($request),
             'forgotPasswordUrl' => cp_route('password.request'),
             'submitUrl' => cp_route('login'),
             'passkeyOptionsUrl' => cp_route('passkeys.auth.options'),
@@ -107,11 +105,7 @@ protected function fireFailedEvent($request, $user = null)
 
     public function redirectPath()
     {
-        $cp = cp_route('index');
-        $referer = request('referer');
-        $referredFromCp = Str::startsWith($referer, $cp) && ! Str::startsWith($referer, $cp.'/auth/');
-
-        return $referredFromCp ? $referer : $cp;
+        return cp_route('index');
     }
 
     protected function authenticated(Request $request, $user)
@@ -144,13 +138,6 @@ public function logout(Request $request)
         return redirect(URL::isExternalToApplication($redirect) ? '/' : $redirect);
     }
 
-    protected function getReferrer()
-    {
-        $referrer = url()->previous();
-
-        return $referrer === cp_route('unauthorized') ? cp_route('index') : $referrer;
-    }
-
     public function username()
     {
         return 'email';

src/Http/Controllers/CP/Auth/PasskeyLoginController.php

@@ -2,19 +2,12 @@
 
 namespace Statamic\Http\Controllers\CP\Auth;
 
-use Illuminate\Http\Request;
-use Statamic\Facades\URL;
 use Statamic\Http\Controllers\User\PasskeyLoginController as Controller;
-use Statamic\Support\Str;
 
 class PasskeyLoginController extends Controller
 {
-    protected function successRedirectUrl(Request $request): string
+    protected function defaultRedirectUrl(): string
     {
-        $referer = $request->input('referer');
-
-        return Str::contains($referer, '/'.config('statamic.cp.route')) && ! URL::isExternalToApplication($referer)
-            ? $referer
-            : cp_route('index');
+        return cp_route('index');
     }
 }

src/Http/Controllers/CP/Auth/TwoFactorChallengeController.php

@@ -2,11 +2,9 @@
 
 namespace Statamic\Http\Controllers\CP\Auth;
 
-use Illuminate\Http\Request;
 use Statamic\Http\Controllers\TwoFactorChallengeController as Controller;
 use Statamic\Http\Middleware\CP\HandleInertiaRequests;
 use Statamic\Http\Middleware\CP\RedirectIfAuthorized;
-use Statamic\Support\Str;
 
 class TwoFactorChallengeController extends Controller
 {
@@ -22,13 +20,9 @@ protected function formAction()
         return cp_route('two-factor-challenge');
     }
 
-    protected function redirectPath(Request $request)
+    protected function defaultRedirectPath(): string
     {
-        $cp = cp_route('index');
-        $referer = $request->input('referer');
-        $referredFromCp = Str::startsWith($referer, $cp) && ! Str::startsWith($referer, $cp.'/auth/');
-
-        return $referredFromCp ? $referer : $cp;
+        return cp_route('index');
     }
 
     protected function failedRedirectPath()

src/Http/Controllers/CP/Auth/TwoFactorSetupController.php

@@ -16,10 +16,10 @@ public function __construct(Request $request)
     protected function redirectPath()
     {
         $cp = cp_route('index');
-        $referer = request('referer');
-        $referredFromCp = Str::startsWith($referer, $cp) && ! Str::startsWith($referer, $cp.'/auth/');
+        $intended = redirect()->getIntendedUrl();
+        $isCpUrl = $intended && Str::startsWith($intended, $cp) && ! Str::startsWith($intended, $cp.'/auth/');
 
-        return $referredFromCp ? $referer : $cp;
+        return $isCpUrl ? $intended : $cp;
     }
 
     protected function routes($user): array

src/Http/Controllers/Concerns/HandlesLogins.php

@@ -60,21 +60,15 @@ protected function throwFailedAuthenticationException(Request $request)
 
     protected function twoFactorChallengeResponse(Request $request, User $user)
     {
-        $request->session()->forget('login.redirect');
-
-        $session = [
+        $request->session()->put([
             'login.id' => $user->getKey(),
             'login.remember' => $request->boolean('remember'),
-        ];
+        ]);
 
-        if ($redirect = $request->input('_redirect')) {
-            if (! URL::isExternalToApplication($redirect)) {
-                $session['login.redirect'] = $redirect;
-            }
+        if (($redirect = $request->input('_redirect')) && ! URL::isExternalToApplication($redirect)) {
+            redirect()->setIntendedUrl($redirect);
         }
 
-        $request->session()->put($session);
-
         TwoFactorAuthenticationChallenged::dispatch($user);
 
         return $request->wantsJson()

src/Http/Controllers/TwoFactorChallengeController.php

@@ -58,13 +58,15 @@ public function store(TwoFactorChallengeRequest $request)
 
         $request->session()->regenerate();
 
+        $redirect = $this->redirectPath($request);
+
         if ($request->inertia() || $request->expectsJson()) {
             return $request->inertia()
-                ? Inertia::location($this->redirectPath($request))
+                ? Inertia::location($redirect)
                 : response('Authenticated');
         }
 
-        return redirect()->intended($this->redirectPath($request));
+        return redirect($redirect);
     }
 
     protected function sendFailedResponse(TwoFactorChallengeRequest $request)
@@ -85,18 +87,17 @@ protected function formAction()
 
     protected function redirectPath(Request $request)
     {
-        if ($redirect = $request->input('_redirect')) {
-            if (! URL::isExternalToApplication($redirect)) {
-                return $redirect;
-            }
-        }
+        $intended = $request->session()->pull('url.intended', $this->defaultRedirectPath());
 
-        if ($redirect = $request->session()->pull('login.redirect')) {
-            if (! URL::isExternalToApplication($redirect)) {
-                return $redirect;
-            }
+        if (($redirect = $request->input('_redirect')) && ! URL::isExternalToApplication($redirect)) {
+            return $redirect;
         }
 
+        return $intended;
+    }
+
+    protected function defaultRedirectPath(): string
+    {
         return route('statamic.site');
     }