Revert "fix(app-router): encode returnTo in login redirect to prevent OAuth param injection" (#2443)

tusharpandey13 · web-flow · commit 3210e112bbd9 · 2025-12-03T14:59:48.000+05:30
diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts
@@ -196,7 +196,7 @@ export const appRouteHandlerFactory =
           : opts.returnTo;
       const { redirect } = await import("next/navigation.js");
       redirect(
-        `${config.loginUrl}${returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}`
+        `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}`
       );
     }
     return handler(params);

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ export const appRouteHandlerFactory =`
`196`	`196`	`: opts.returnTo;`
`197`	`197`	`const { redirect } = await import("next/navigation.js");`
`198`	`198`	`redirect(`
`199`		- `${config.loginUrl}${returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}`
	`199`	+ `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}`
`200`	`200`	`);`
`201`	`201`	`}`
`202`	`202`	`return handler(params);`