npmx-dev · danielroe · Feb 5, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/app/components/Header/AuthModal.client.vue b/app/components/Header/AuthModal.client.vue
@@ -1,13 +1,13 @@
 <script setup lang="ts">
 const handleInput = shallowRef('')
-
+const route = useRoute()
 const { user, logout } = useAtproto()
 
 async function handleBlueskySignIn() {
   await navigateTo(
     {
       path: '/api/auth/atproto',
-      query: { handle: 'https://bsky.social' },
+      query: { handle: 'https://bsky.social', returnTo: route.fullPath },
     },
     { external: true },
   )
@@ -17,7 +17,7 @@ async function handleCreateAccount() {
   await navigateTo(
     {
       path: '/api/auth/atproto',
-      query: { handle: 'https://npmx.social', create: 'true' },
+      query: { handle: 'https://npmx.social', create: 'true', returnTo: route.fullPath },
     },
     { external: true },
   )

diff --git a/server/api/auth/atproto.get.ts b/server/api/auth/atproto.get.ts
@@ -15,6 +15,18 @@ export default defineEventHandler(async event => {
   }
 
   const query = getQuery(event)
+  const rawReturnTo = query.returnTo?.toString() || '/'
+  // Validate returnTo is a safe relative path (prevent open redirect)
+  const isRelativePath = rawReturnTo.startsWith('/') && !rawReturnTo.startsWith('//') && !rawReturnTo.includes(':')
+  const returnTo = isRelativePath ? rawReturnTo : '/'
+
+  setCookie(event, 'auth_return_to', returnTo, {
+    maxAge: 60 * 5,
+    httpOnly: true,
+    // secure only if NOT in dev mode
+    secure: !import.meta.dev,
+  })
+
   const clientMetadata = getOauthClientMetadata()
   const { stateStore, sessionStore } = useOAuthStorage(event)
 
@@ -60,5 +72,8 @@ export default defineEventHandler(async event => {
 
   await session.update(miniDoc)
 
-  return sendRedirect(event, '/')
+  const returnToURL = getCookie(event, 'auth_return_to') || '/'
+  deleteCookie(event, 'auth_return_to')
+
+  return sendRedirect(event, returnToURL)
 })