From d28696f43d64417e633ca06cd94d7f15a0c9fb6f Mon Sep 17 00:00:00 2001
From: JasonOA888 <jason@outland.art>
Date: Wed, 6 May 2026 02:38:17 +0800
Subject: [PATCH] Fix open redirect in sessions controller

The after_sign_in_path_for method returned params[:redir] directly when
it didn't start with CONSOLE_URL, allowing redirects to any external URL
after login. Now falls through to super for non-console URLs.
---
 app/controllers/sessions_controller.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 2281d56f..c17823e7 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -27,8 +27,6 @@ class SessionsController < Devise::SessionsController
   def after_sign_in_path_for(...)
     if params[:redir].present?
       return console_redirect_index_path(redir: params[:redir]) if params[:redir].starts_with?(Docuseal::CONSOLE_URL)
-
-      return params[:redir]
     end
 
     super