fix(api): only use homeLocation as a fallback (#40517)

api-server/server/utils/middleware.js

@@ -2,22 +2,23 @@ import dedent from 'dedent';
 import { validationResult } from 'express-validator';
 
 import { createValidatorErrorFormatter } from './create-handled-error.js';
-import { homeLocation } from '../../../config/env';
 import {
   getAccessTokenFromRequest,
   removeCookies
 } from './getSetAccessToken.js';
+import { getRedirectParams } from './redirection';
 
-export function ifNoUserRedirectTo(url, message, type = 'errors') {
+export function ifNoUserRedirectHome(message, type = 'errors') {
   return function(req, res, next) {
     const { path } = req;
     if (req.user) {
       return next();
     }
 
+    const { origin } = getRedirectParams(req);
     req.flash(type, message || `You must be signed in to access ${path}`);
 
-    return res.redirect(url);
+    return res.redirect(origin);
   };
 }
 
@@ -55,15 +56,13 @@ export function ifNotVerifiedRedirectToUpdateEmail(req, res, next) {
   return next();
 }
 
-export function ifUserRedirectTo(path = `${homeLocation}/learn`, status) {
+export function ifUserRedirectTo(status) {
   status = status === 301 ? 301 : 302;
   return (req, res, next) => {
     const { accessToken } = getAccessTokenFromRequest(req);
+    const { returnTo } = getRedirectParams(req);
     if (req.user && accessToken) {
-      if (req.query && req.query.returnTo) {
-        return res.status(status).redirect(req.query.returnTo);
-      }
-      return res.status(status).redirect(path);
+      return res.status(status).redirect(returnTo);
     }
     if (req.user && !accessToken) {
       // This request has an active auth session