Changeset 14713

Timestamp:

03/13/2026 07:26:23 PM (5 weeks ago)

Author:

obenland

Message:

Login: Don't override the login redirect when it targets application password authorization.

The came_from redirect override was replacing the authorize_application redirect with the cookie value after 2FA, sending users to profiles.wordpress.org
instead of the authorization form.

File:

• sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions.php (modified) (1 diff)

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions.php

@@ -608 +608 @@
             'login.wordpress.org' == $redirect_host &&
             str_contains( $redirect_qv, 'response_type=code' )
+        ) &&
+        // Don't override if the redirect is back to an application password authorization.
+        ! (
+            'login.wordpress.org' == $redirect_host &&
+            str_contains( $redirect_qv, 'action=authorize_application' )
         )
     ) {