Fix open redirect vulnerability in return-to URL after login

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/stores/login.test.js

@@ -107,6 +107,29 @@ describe('loginStore', () => {
       window.location = originalLocation;
     });
 
+    it('does not redirect to external URL (open redirect prevention)', async () => {
+      axios.post.mockResolvedValue({
+        data: {
+          access_token: 'token',
+          refresh_token: 'refresh',
+        },
+      });
+      // Attacker crafts a return-to URL pointing to an external site
+      store.rememberedReturnToUrl = btoa('https://evil.example.com/steal');
+
+      const originalLocation = window.location;
+      delete window.location;
+      window.location = { href: '' };
+
+      await store.signIn();
+
+      // Should NOT redirect to the external URL
+      expect(window.location.href).not.toBe('https://evil.example.com/steal');
+      // Should fall back to /files
+      expect(store.$router.push).toHaveBeenCalledWith('/files');
+      window.location = originalLocation;
+    });
+
     it('sets isInvalid on error', async () => {
       axios.post.mockRejectedValue(new Error('401'));