From 5c5b0e35d95982fe636748810290f2d6a268dc1b Mon Sep 17 00:00:00 2001
From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Date: Wed, 22 May 2024 10:18:12 +0200
Subject: [PATCH] feat: accept a ?returnPath that overrides the stored path

---
 .../src/apps/app/app-auth.controller.ts                   | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web.UI.Client/src/apps/app/app-auth.controller.ts b/src/Umbraco.Web.UI.Client/src/apps/app/app-auth.controller.ts
index 13a928e69c..fbf49db6ce 100644
--- a/src/Umbraco.Web.UI.Client/src/apps/app/app-auth.controller.ts
+++ b/src/Umbraco.Web.UI.Client/src/apps/app/app-auth.controller.ts
@@ -71,7 +71,13 @@ export class UmbAppAuthController extends UmbControllerBase {
 		}
 
 		// Save the current state
-		sessionStorage.setItem(UMB_STORAGE_REDIRECT_URL, window.location.href);
+		let currentUrl = window.location.href;
+		const searchParams = new URLSearchParams(window.location.search);
+		if (searchParams.has('returnPath')) {
+			currentUrl = decodeURIComponent(searchParams.get('returnPath') || currentUrl);
+		}
+		const safeUrl = new URL(currentUrl, window.location.origin);
+		sessionStorage.setItem(UMB_STORAGE_REDIRECT_URL, safeUrl.toString());
 
 		// Figure out which providers are available
 		const availableProviders = await firstValueFrom(this.#authContext.getAuthProviders(umbExtensionsRegistry));