From bcab16f2bf99428960db088e4a994bf30c556c97 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Tue, 31 Mar 2026 14:54:55 -0700
Subject: [PATCH] Fix SSO return-to redirect loop

SetReturnToCookie stored /sso/redirect as the return-to path,
causing a redirect loop after successful SSO login: the callback
would redirect back to /sso/redirect instead of /. Filter all
/sso/* paths, not just /sso/callback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 sso/sso.go      | 2 +-
 sso/sso_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sso/sso.go b/sso/sso.go
index d2e17dd..e0fb6f2 100644
--- a/sso/sso.go
+++ b/sso/sso.go
@@ -229,7 +229,7 @@ func ValidateStateCookie(w http.ResponseWriter, r *http.Request, prefix, querySt
 // redirect back to it after SSO login completes.
 func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) {
 	path := r.URL.Path
-	if path == "" || path == "/login" || path == "/sso/callback" {
+	if path == "" || path == "/login" || strings.HasPrefix(path, "/sso/") {
 		path = "/"
 	}
 	http.SetCookie(w, &http.Cookie{
diff --git a/sso/sso_test.go b/sso/sso_test.go
index 568156b..cda9121 100644
--- a/sso/sso_test.go
+++ b/sso/sso_test.go
@@ -193,7 +193,7 @@ func TestReturnToDefaultsToRoot(t *testing.T) {
 }
 
 func TestReturnToSkipsLoginPaths(t *testing.T) {
-	for _, p := range []string{"/login", "/sso/callback"} {
+	for _, p := range []string{"/login", "/sso/callback", "/sso/redirect"} {
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, p, nil)
 		SetReturnToCookie(rec, req, "mcr")