Always consume url.intended in 2FA challenge redirect resolution

The _redirect short-circuit returned early without pulling url.intended
from session, which could leave a stale value behind when both were set.
Pull it up front so it's consumed regardless of which path wins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

src/Http/Controllers/TwoFactorChallengeController.php

@@ -87,11 +87,13 @@ protected function formAction()
 
     protected function redirectPath(Request $request)
     {
+        $intended = $request->session()->pull('url.intended', $this->defaultRedirectPath());
+
         if (($redirect = $request->input('_redirect')) && ! URL::isExternalToApplication($redirect)) {
             return $redirect;
         }
 
-        return $request->session()->pull('url.intended', $this->defaultRedirectPath());
+        return $intended;
     }
 
     protected function defaultRedirectPath(): string

tests/Tags/User/TwoFactorChallengeFormTest.php

@@ -210,6 +210,26 @@ public function it_uses_intended_url_from_session_when_no_redirect_param()
         $this->assertAuthenticatedAs($user);
     }
 
+    #[Test]
+    public function it_clears_intended_url_from_session_when_redirect_param_wins()
+    {
+        $user = $this->userWithTwoFactorEnabled();
+
+        $this
+            ->session([
+                'login.id' => $user->id(),
+                'url.intended' => '/account',
+            ])
+            ->post(route('statamic.two-factor-challenge'), [
+                'code' => $this->getOneTimeCode($user),
+                '_redirect' => '/dashboard',
+            ])
+            ->assertRedirect('/dashboard')
+            ->assertSessionMissing('url.intended');
+
+        $this->assertAuthenticatedAs($user);
+    }
+
     private function user()
     {
         return tap(User::make()->makeSuper()->email('test@example.com'))->save();