From 4a830b49e820f4c1a3fe4e8ab83bc8f31586723a Mon Sep 17 00:00:00 2001
From: Ayush Chaudhari <ayush@frappe.io>
Date: Wed, 17 Sep 2025 16:58:26 +0530
Subject: [PATCH] fix: better redirect handling

---
 frappe/www/login.py | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/frappe/www/login.py b/frappe/www/login.py
index c9a5e63816..cbd71bb77f 100644
--- a/frappe/www/login.py
+++ b/frappe/www/login.py
@@ -2,7 +2,7 @@
 # License: MIT. See LICENSE
 
 
-from urllib.parse import urlparse
+from urllib.parse import urljoin, urlparse
 
 import frappe
 import frappe.utils
@@ -202,17 +202,21 @@ def sanitize_redirect(redirect: str | None) -> str | None:
 
 	Allowed redirects:
 	- Same host e.g. https://frappe.localhost/path
-	- Just path e.g. /app
+	- Just path e.g. /app gets converted to https://frappe.localhost/app
 	"""
 	if not redirect:
 		return redirect
 
 	parsed_redirect = urlparse(redirect)
-	if not parsed_redirect.netloc:
-		return redirect
 
 	parsed_request_host = urlparse(frappe.local.request.url)
-	if parsed_request_host.netloc == parsed_redirect.netloc:
-		return redirect
+	output_parsed_url = parsed_redirect._replace(
+		netloc=parsed_request_host.netloc, scheme=parsed_request_host.scheme
+	)
+	if parsed_redirect.netloc:
+		if parsed_request_host.netloc != parsed_redirect.netloc:
+			output_parsed_url = output_parsed_url._replace(path="/app")
+		else:
+			output_parsed_url = output_parsed_url._replace(path=parsed_redirect.path)
 
-	return None
+	return output_parsed_url.geturl()