From 1455324ac2f08436e26d5b44086a5dabc749d0e5 Mon Sep 17 00:00:00 2001
From: VASANTH K <vasanth3008@gmail.com>
Date: Tue, 17 Feb 2026 11:58:02 +0530
Subject: [PATCH] Use RelayState for login redirect fallback

fix(saml): correctly handle RelayState for post-auth redirect

RelayState is a standard SAML parameter used to preserve the target URL
during SSO flow. Updated implementation to properly read and forward
RelayState so users are redirected to the intended resource after
successful authentication.
---
 server/controllers/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/controllers/auth.js b/server/controllers/auth.js
index 733486be0..e18dac406 100644
--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@@ -72,7 +72,7 @@ router.all('/login/:strategy/callback', async (req, res, next) => {
     }, { req, res })
     res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())
 
-    const loginRedirect = req.cookies['loginRedirect']
+    const loginRedirect = req.cookies['loginRedirect'] ?? decodeURI(req.body.RelayState)
     const isValidRedirect = loginRedirect && loginRedirect.startsWith('/') && !loginRedirect.startsWith('//') && !loginRedirect.includes('://')
     if (loginRedirect === '/' && authResult.redirect) {
       res.clearCookie('loginRedirect')