fix: preserve page context via cookie after Bluesky redirect

[NandkishorJadoun]

fixes #901

Previously, users logging in via Bluesky were redirected to the homepage regardless of which page they started from.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Feb 4, 2026 0:34am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Feb 4, 2026 0:34am
npmx-lunaria	Ignored		Feb 4, 2026 0:34am

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement a mechanism to preserve page context during authentication flows. The client-side component now captures the current route path (route.fullPath) and passes it as a returnTo parameter when initiating authentication. The server-side endpoint receives this value, validates it as a safe relative path, stores it securely in a cookie with a 5-minute expiration, and redirects users to the stored path following successful OAuth callback instead of redirecting to the homepage.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description directly addresses the issue by explaining the problem (users redirected to homepage regardless of starting page) and references the linked issue #901.
Linked Issues check	✅ Passed	The pull request implements the required functionality from issue #901 by preserving the user's original page context during Bluesky authentication redirects.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to resolving the issue: AuthModal navigates with returnTo parameter, and the OAuth callback stores and redirects to the saved return path.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/components/Header/AuthModal.client.vue (1)

26-36: ⚠️ Potential issue | 🟠 Major

Missing returnTo parameter in handleLogin creates inconsistent redirect behaviour.

The handleLogin() function for manual handle input does not include the returnTo query parameter, whilst handleBlueskySignIn() and handleCreateAccount() do. Users logging in with a custom handle will be redirected to the homepage instead of their original page.

🐛 Proposed fix to add returnTo parameter

 async function handleLogin() {
   if (handleInput.value) {
     await navigateTo(
       {
         path: '/api/auth/atproto',
-        query: { handle: handleInput.value },
+        query: { handle: handleInput.value, returnTo: route.fullPath },
       },
       { external: true },
     )
   }
 }

[danielroe]

would you mind resolving the conflicts? 🙏

[wojtekmaj]

What does it have to do with the described fix?

[NandkishorJadoun]

I was working on another issue and forgot to switch branches. Please ignore that commit for now

[NandkishorJadoun]

yeah, working on it

[wojtekmaj]

Listen to the rabbit 🐰

[wojtekmaj]

Aside from the style change that sneaked in, LGTM.

[danielroe]

I think it would be safer to construct a new URL, validate the hostname, and pass this to setCookie

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
app/components/Header/AuthModal.client.vue	33.33%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/components/Header/AuthModal.client.vue (1)

29-33: ⚠️ Potential issue | 🟠 Major

Custom handle login does not preserve page context.

The handleLogin function uses authRedirect(handleInput.value) without passing the returnTo parameter. Users who enter a custom handle will be redirected to the homepage after authentication, inconsistent with the other two login flows (handleBlueskySignIn and handleCreateAccount) which both pass returnTo: route.fullPath.

The authRedirect function currently accepts only identifier and optional create parameters, and does not include returnTo in its query object. Update the function signature to accept an optional returnTo parameter:

-export async function authRedirect(identifier: string, create: boolean = false) {
+export async function authRedirect(identifier: string, create: boolean = false, returnTo?: string) {
   let query: LocationQueryRaw = { handle: identifier }
   if (create) {
     query = { ...query, create: 'true' }
   }
+  if (returnTo) {
+    query = { ...query, returnTo }
+  }
   await navigateTo(
     {
       path: '/api/auth/atproto',
       query,
     },
     { external: true },
   )
 }

Then call it with the return path in handleLogin:

 async function handleLogin() {
   if (handleInput.value) {
-    await authRedirect(handleInput.value)
+    await authRedirect(handleInput.value, false, route.fullPath)
   }
 }

[fatfingers23]

LGTM! Thank you for adding it! Was a big ask we got