From fa559ba4be65000517f8b1acf40e2d9869c76d64 Mon Sep 17 00:00:00 2001
From: janis steiner <janis@jakach.ch>
Date: Sat, 16 May 2026 11:51:17 +0200
Subject: [PATCH] fix

---
 public/oauth.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/oauth.php b/public/oauth.php
index 6e2b79f..4a4cde0 100644
--- a/public/oauth.php
+++ b/public/oauth.php
@@ -23,7 +23,8 @@ session_set_cookie_params([
 session_start();
 
 $authToken = $_GET['auth'] ?? '';
-$errorRedirect = isSafeRedirect($_GET['redirect'] ?? '') ? $_GET['redirect'] : '/';
+$rawRedirect = $_GET['redirect'] ?? '/';
+$errorRedirect = isSafeRedirect($rawRedirect) ? $rawRedirect : '/';
 
 if (!$authToken) {
     $_SESSION['auth_error'] = 'Missing authentication token.';
@@ -83,6 +84,6 @@ $_SESSION['telegram_id'] = $data['telegram_id'] ?? '';
 $_SESSION['user_token'] = $userToken;
 unset($_SESSION['auth_error']);
 
-$redirect = isSafeRedirect($_GET['redirect'] ?? '') ? $_GET['redirect'] : '/';
+$redirect = isSafeRedirect($rawRedirect) ? $rawRedirect : '/';
 header('Location: ' . $redirect);
 exit;
\ No newline at end of file