Handle invalid return-to payloads without misclassifying login as failed

Co-Authored-By: Codex <codex@openai.com>

src/stores/login.ts

@@ -71,16 +71,20 @@ export const useLoginStore = defineStore("loginStore", {
         // However, if the user pasted a URL while not logged in,
         // redirect them to the remembered return-to URL after login.
         if (this.rememberedReturnToUrl !== "") {
-          const decodedUrl = atob(this.rememberedReturnToUrl);
+          let decodedUrl = "";
+          try {
+            decodedUrl = atob(this.rememberedReturnToUrl);
+          } catch {
+            this.$router.push("/files");
+            return;
+          }
           // Only allow relative paths to prevent open redirect attacks
           if (decodedUrl.startsWith("/") && !decodedUrl.startsWith("//")) {
             window.location.href = decodedUrl;
-          } else {
-            this.$router.push("/files");
+            return;
           }
-        } else {
-          this.$router.push("/files");
         }
+        this.$router.push("/files");
       } catch (error) {
         this.isInvalid = true;
       }