Adjust login url handling for authenticated users

[samuelwei]

Fixes #3078

Type

• Bugfix
• Feature
• Documentation
• Refactoring (e.g. Style updates, Test implementation, etc.)
• Other (please describe):

Checklist

• Code updated to current develop branch head
• Passes CI checks
• Is a part of an issue
• Tests added for the bugfix or newly implemented feature, describe below why if not
• Changelog is updated
• Documentation of code and features exists

Changes

• Direct OIDC / Shibboleth redirect calls with a redirect query parameter will now redirect authenticated users to the requested url
• Allow frontend login url calls, user is redirected to requested redirect route, fallback to room overview

Other information

Summary by CodeRabbit

• Improvements

  • Refined authentication redirect behavior for already-logged-in users across providers and the login page (prevents login UI rendering)
  • Added ability to suppress success messages during external authentication via a query flag
  • Consistent handling and forwarding of optional redirect parameters across auth flows
  • Updated route behavior and props for external-login

• Validation

  • New validation for auth redirect/callback inputs that returns 400 on invalid requests

• Tests

  • Added/extended tests covering authenticated redirect behavior and callback flows

[coderabbitai]

Warning

Rate limit exceeded

@samuelwei has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 32 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 44 minutes and 32 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4294030b-af26-4cfa-82af-b4f0e2984e28

📥 Commits

Reviewing files that changed from the base of the PR and between 6ce7053 and 39ea6c9.

📒 Files selected for processing (1)

• app/Auth/OIDC/OpenIDConnectClient.php

Walkthrough

Adds typed FormRequest classes, a shared REDIRECT_URL constant, and short-circuits authenticated users on OIDC/Shibboleth redirect endpoints to /external_login?no_message=1 (preserving an optional redirect query); updates callbacks to use the constant/URI construction; frontend and tests adjusted to respect no_message and normalized redirects.

Changes

Cohort / File(s)	Summary
Auth Controllers & Providers app/Auth/OIDC/OIDCController.php, app/Auth/Shibboleth/ShibbolethController.php, app/Auth/OIDC/OIDCProvider.php, app/Auth/OIDC/OpenIDConnectClient.php	Add protected const string REDIRECT_URL = '/external_login'. Exclude redirect from guest middleware. redirect endpoints short-circuit for authenticated users to REDIRECT_URL?no_message=1 with optional redirect. callback endpoints construct redirects via Uri and use session-stored redirect_url. OIDC client authenticate now returns void and throws on missing code.
Form Request Classes app/Auth/OIDC/OIDCRedirectRequest.php, app/Auth/OIDC/OIDCCallbackRequest.php, app/Auth/Shibboleth/ShibbolethRedirectRequest.php, app/Auth/Shibboleth/ShibbolethCallbackRequest.php	Add typed FormRequest classes validating redirect, code, state, error, error_description inputs as strings and aborting with 400 on validation failure. Controllers updated to accept these request types.
Frontend Router & Views resources/js/router.js, resources/js/views/ExternalLogin.vue, resources/js/views/Login.vue	Remove guestsOnly meta from /login. /external_login maps no_message query to boolean noMessage. ExternalLogin suppresses success toast when noMessage is true. Login.vue normalizes redirect query and immediately redirects authenticated clients to the normalized target or rooms index; OIDC/Shibboleth redirect URLs use normalized value.
Backend Feature Tests tests/Backend/Feature/api/v1/OIDCTest.php, tests/Backend/Feature/api/v1/ShibbolethTest.php	Add/modify tests to assert authenticated access to auth.*.redirect redirects to /external_login?no_message=1 and that an encoded redirect param is forwarded. Add Shibboleth callback test verifying redirect and authentication.
Frontend E2E Tests tests/Frontend/e2e/Login.cy.js	Update logged-in tests to expect automatic redirects instead of guests-only toast; assert /login is skipped and redirects land on normalized targets. Add external-login test verifying no_message=1&redirect=/admin redirects to /admin, shows admin page, and suppresses toast.
Changelog CHANGELOG.md	Add Unreleased entries noting login/external-login redirect behavior and link references for issues/PRs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Redirect auth. users on external auth routes #2752 — Similar short-circuit behavior for authenticated users on external auth routes; overlaps on authenticated-redirect handling.
• Implement OIDC #2281 — Prior changes to OIDC controllers and request classes that touch the same classes/files updated here.

Suggested labels

Complete - Waiting for review

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adjusting login URL handling to work correctly for authenticated users.
Description check	✅ Passed	The description addresses the template structure with issue reference, type selection, completed checklist, and lists the main changes. All critical sections are present and populated.
Linked Issues check	✅ Passed	The PR implements all requirements from issue #3078: OIDC/Shibboleth redirect endpoints now respect redirect parameters for authenticated users by immediately redirecting to the target URL, and frontend login pages redirect authenticated users to requested routes or the room overview.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objectives of fixing redirect handling for authenticated users across OIDC, Shibboleth, and frontend login flows. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 3078-auth-redirect-doesnt-work-if-already-logged-in

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 89.87342% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 96.70%. Comparing base (9ae6aaa) to head (39ea6c9).

Files with missing lines	Patch %	Lines
app/Auth/OIDC/OIDCCallbackRequest.php	77.77%	2 Missing ⚠️
app/Auth/OIDC/OIDCRedirectRequest.php	66.66%	2 Missing ⚠️
app/Auth/Shibboleth/ShibbolethCallbackRequest.php	66.66%	2 Missing ⚠️
app/Auth/Shibboleth/ShibbolethRedirectRequest.php	66.66%	2 Missing ⚠️

Additional details and impacted files

@@              Coverage Diff              @@
##             develop    #3079      +/-   ##
=============================================
- Coverage      96.77%   96.70%   -0.07%     
- Complexity      1924     1935      +11     
=============================================
  Files            457      461       +4     
  Lines          13132    13127       -5     
  Branches        2133     2141       +8     
=============================================
- Hits           12708    12695      -13     
- Misses           424      432       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

resources/js/views/ExternalLogin.vue (1)

84-88: ⚠️ Potential issue | 🟡 Minor

Consider validating route.query.redirect before router.push (pre-existing, but exposure broadened by this PR).

This line is not changed, but the PR widens the set of flows that land here with an attacker-influenceable redirect query (authenticated users can now reach /external_login?redirect=… directly). If route.query.redirect is something like //evil.com/x, http://evil.com, or an array, behavior may be unsafe or buggy:

• Protocol-relative (//host) values may be accepted by some history implementations as external navigations.
• Repeated ?redirect=a&redirect=b becomes an array — router.push(['…','…']) is not a valid argument.

A simple guard would make the contract explicit:

🛡️ Suggested guard

-    if (route.query.redirect !== undefined) {
-      router.push(route.query.redirect);
+    const redirect = route.query.redirect;
+    if (typeof redirect === "string" && /^\/(?![/\\])/.test(redirect)) {
+      router.push(redirect);
     } else {
       router.push({ name: "rooms.index" });
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resources/js/views/ExternalLogin.vue` around lines 84 - 88, The redirect
handling in ExternalLogin.vue currently pushes route.query.redirect without
validation; ensure route.query.redirect is a safe single relative path before
calling router.push. Update the logic around route.query.redirect: verify it's a
string (if it's an array, pick the first element or ignore), reject values that
start with '//' or contain a scheme like 'http:' or 'https:', and only allow
paths that begin with a single '/' (or otherwise match an explicit
internal-route whitelist); if the value fails validation, fall back to
router.push({ name: "rooms.index" }). Use the existing route.query.redirect and
router.push symbols when locating and changing the code.

🧹 Nitpick comments (2)

app/Auth/Shibboleth/ShibbolethController.php (1)

28-37: Minor: use lowercase auth() helper and consider simplifying query construction.

Two small points:

1. Auth() with an uppercase A is unconventional — Laravel's global helper is lowercased auth(). PHP function names are case-insensitive so it works, but it's inconsistent with the rest of the codebase and with the OIDC controller (which uses the same casing here). Prefer auth()->check() for consistency.
2. The two-branch construction can be collapsed by building the query array upfront:

♻️ Suggested simplification

-        if (Auth()->check()) {
-            $uri = Uri::of(self::REDIRECT_URL)->withQuery(['no_message' => true]);
-            if ($request->query('redirect')) {
-                return redirect($uri
-                    ->withQuery(['redirect' => $request->query('redirect')])
-                    ->value());
-            }
-
-            return redirect($uri->value());
-        }
+        if (auth()->check()) {
+            $query = ['no_message' => true];
+            if ($request->query('redirect')) {
+                $query['redirect'] = $request->query('redirect');
+            }
+
+            return redirect(Uri::of(self::REDIRECT_URL)->withQuery($query)->value());
+        }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/Auth/Shibboleth/ShibbolethController.php` around lines 28 - 37, Replace
the unconventional Auth() call with the lowercase helper auth() in the
conditional (use auth()->check()) and simplify the redirect logic in
ShibbolethController by building a single query array first (include
'no_message' => true and conditionally add 'redirect' =>
$request->query('redirect')), then apply that query to
Uri::of(self::REDIRECT_URL) and return a single redirect(...) using the
uri->value(); this collapses the two-branch return into one and keeps URI
construction centralized.

app/Auth/OIDC/OIDCController.php (1)

30-40: Duplicated short-circuit logic with ShibbolethController.

This authenticated-user short-circuit is byte-for-byte identical to the new block in app/Auth/Shibboleth/ShibbolethController.php (lines 28–37). Consider extracting it into a small trait, a shared helper, or a base controller method to avoid drift (e.g., if the no_message contract, URL, or validation rules change later, both places must be updated in lockstep).

Same Auth() casing nit as noted on the Shibboleth side — prefer auth()->check().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/Auth/OIDC/OIDCController.php` around lines 30 - 40, Extract the
duplicated authenticated-user short-circuit into a shared helper (trait or base
controller method) and replace the inline block in both OIDCController and
ShibbolethController with a call to that helper; specifically, move the logic
that checks auth()->check(), constructs
Uri::of(self::REDIRECT_URL)->withQuery(['no_message' => true]), handles optional
$request->query('redirect') and returns the redirect into a single method (e.g.,
handleAuthenticatedRedirect(Request $request) in a trait or base class), update
both controllers to call that method, and also change Auth()->check() to
auth()->check() to fix the casing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/Auth/Shibboleth/ShibbolethController.php`:
- Around line 28-39: The redirect query parameter is forwarded unvalidated from
ShibbolethController::redirect (and similarly OIDCController::redirect) to
/external_login and then used by the frontend (ExternalLogin.vue and Login.vue)
in router.push(), creating an open-redirect risk; fix this by validating and
normalizing the redirect before forwarding and before calling router.push(): in
ShibbolethController::redirect (and OIDCController::redirect) reject or remove
any redirect that contains '//' or '/\' or that is not a single('/')-prefixed
path or a recognized SPA route name, and only forward whitelisted values to
/external_login; in ExternalLogin.vue and Login.vue, enforce the same
whitelist/validation on route.query.redirect (or require a route name/object)
and refuse/purge malformed values before calling router.push() to ensure only
known SPA routes or safe single-segment paths are allowed.

---

Outside diff comments:
In `@resources/js/views/ExternalLogin.vue`:
- Around line 84-88: The redirect handling in ExternalLogin.vue currently pushes
route.query.redirect without validation; ensure route.query.redirect is a safe
single relative path before calling router.push. Update the logic around
route.query.redirect: verify it's a string (if it's an array, pick the first
element or ignore), reject values that start with '//' or contain a scheme like
'http:' or 'https:', and only allow paths that begin with a single '/' (or
otherwise match an explicit internal-route whitelist); if the value fails
validation, fall back to router.push({ name: "rooms.index" }). Use the existing
route.query.redirect and router.push symbols when locating and changing the
code.

---

Nitpick comments:
In `@app/Auth/OIDC/OIDCController.php`:
- Around line 30-40: Extract the duplicated authenticated-user short-circuit
into a shared helper (trait or base controller method) and replace the inline
block in both OIDCController and ShibbolethController with a call to that
helper; specifically, move the logic that checks auth()->check(), constructs
Uri::of(self::REDIRECT_URL)->withQuery(['no_message' => true]), handles optional
$request->query('redirect') and returns the redirect into a single method (e.g.,
handleAuthenticatedRedirect(Request $request) in a trait or base class), update
both controllers to call that method, and also change Auth()->check() to
auth()->check() to fix the casing.

In `@app/Auth/Shibboleth/ShibbolethController.php`:
- Around line 28-37: Replace the unconventional Auth() call with the lowercase
helper auth() in the conditional (use auth()->check()) and simplify the redirect
logic in ShibbolethController by building a single query array first (include
'no_message' => true and conditionally add 'redirect' =>
$request->query('redirect')), then apply that query to
Uri::of(self::REDIRECT_URL) and return a single redirect(...) using the
uri->value(); this collapses the two-branch return into one and keeps URI
construction centralized.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e78846f0-7717-4c03-99b3-a04e2b7ecec3

📥 Commits

Reviewing files that changed from the base of the PR and between 9ae6aaa and be9fb0e.

📒 Files selected for processing (7)

• app/Auth/OIDC/OIDCController.php
• app/Auth/Shibboleth/ShibbolethController.php
• resources/js/router.js
• resources/js/views/ExternalLogin.vue
• tests/Backend/Feature/api/v1/OIDCTest.php
• tests/Backend/Feature/api/v1/ShibbolethTest.php
• tests/Frontend/e2e/Login.cy.js

[cypress]

PILOS    Run #2988

Run Properties:   Failed #2988  •  39ea6c9fe1: Adjust login url handling for authenticated users

Project	PILOS
Branch Review	3078-auth-redirect-doesnt-work-if-already-logged-in
Run status	Failed #2988
Run duration	07m 21s
Commit	39ea6c9fe1: Adjust login url handling for authenticated users
Committer	Samuel Weirich
View all properties for this run ↗︎

---

Test results
Failures	1
Flaky	0
Pending	0
Skipped	0
Passing	626
View all changes introduced in this branch ↗︎

---

Tests for review

  e2e/RoomsJoinWithLobby.cy.js • 1 failed test • System tests

View Output

Test		Artifacts
Room Join with lobby settings > Lobby enabled for guests only		Test Replay Screenshots

[coderabbitai]

🧹 Nitpick comments (1)

resources/js/views/Login.vue (1)

123-145: Handle array and empty-string cases for route.query.redirect across all usages.

route.query.redirect is typed as LocationQueryValue | LocationQueryValue[] by Vue Router, so URLs with duplicate keys (e.g., ?redirect=/a&redirect=/b) make it an array. This breaks three locations:

1. Line 128 (onMounted): router.push(route.query.redirect) with array input will fail/warn
2. Line 149–150 (oidcRedirectUrl): encodeURIComponent(route.query.redirect) converts array to comma-separated string ("a,b")
3. Lines 156–157 (shibbolethRedirectUrl): same issue as above
4. Line 174 (handleLogin): same pattern as line 128

Additionally, empty-string redirects (?redirect=) pass the !== undefined check and push an empty path.

Extract route.query.redirect once as a normalized value and reuse it:

♻️ Suggested refactoring

+const normalizedRedirect = computed(() => {
+  const value = route.query.redirect;
+  const redirectValue = Array.isArray(value) ? value[0] : value;
+  return redirectValue || undefined;
+});

 const oidcRedirectUrl = computed(() => {
   const url = "/auth/oidc/redirect";
-  return route.query.redirect
-    ? url + "?redirect=" + encodeURIComponent(route.query.redirect)
+  return normalizedRedirect.value
+    ? url + "?redirect=" + encodeURIComponent(normalizedRedirect.value)
     : url;
 });

 const shibbolethRedirectUrl = computed(() => {
   const url = "/auth/shibboleth/redirect";
-  return route.query.redirect
-    ? url + "?redirect=" + encodeURIComponent(route.query.redirect)
+  return normalizedRedirect.value
+    ? url + "?redirect=" + encodeURIComponent(normalizedRedirect.value)
     : url;
 });

 onMounted(() => {
   if (authStore.isAuthenticated) {
-    if (route.query.redirect !== undefined) {
-      router.push(route.query.redirect);
+    if (normalizedRedirect.value) {
+      router.push(normalizedRedirect.value);
     } else {
       router.push({ name: "rooms.index" });
     }
     return;
   }
   // ...
 });

 async function handleLogin({ data, id }) {
   // ...
   if (normalizedRedirect.value) {
     await router.push(normalizedRedirect.value);
   } else {
     await router.push({ name: "rooms.index" });
   }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resources/js/views/Login.vue` around lines 123 - 145, Normalize
route.query.redirect once (e.g., getNormalizedRedirect) and use that everywhere:
in the onMounted redirect logic, in oidcRedirectUrl and shibbolethRedirectUrl
construction, and in handleLogin. Specifically, read route.query.redirect, if
it's an array take the first non-empty element, if it's a string treat empty
string as undefined, and otherwise treat undefined as no redirect; then use the
normalized string for router.push and for encodeURIComponent calls so arrays and
empty values no longer cause incorrect pushes or comma-joined encodings. Ensure
you reference the existing symbols route.query.redirect, onMounted redirect
block, oidcRedirectUrl, shibbolethRedirectUrl, and handleLogin when applying the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@resources/js/views/Login.vue`:
- Around line 123-145: Normalize route.query.redirect once (e.g.,
getNormalizedRedirect) and use that everywhere: in the onMounted redirect logic,
in oidcRedirectUrl and shibbolethRedirectUrl construction, and in handleLogin.
Specifically, read route.query.redirect, if it's an array take the first
non-empty element, if it's a string treat empty string as undefined, and
otherwise treat undefined as no redirect; then use the normalized string for
router.push and for encodeURIComponent calls so arrays and empty values no
longer cause incorrect pushes or comma-joined encodings. Ensure you reference
the existing symbols route.query.redirect, onMounted redirect block,
oidcRedirectUrl, shibbolethRedirectUrl, and handleLogin when applying the
change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: fbd445ee-57c9-406a-bca6-1c96a3298847

📥 Commits

Reviewing files that changed from the base of the PR and between be9fb0e and e7e08e8.

📒 Files selected for processing (5)

• resources/js/router.js
• resources/js/views/Login.vue
• tests/Backend/Feature/api/v1/OIDCTest.php
• tests/Backend/Feature/api/v1/ShibbolethTest.php
• tests/Frontend/e2e/Login.cy.js

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/Backend/Feature/api/v1/ShibbolethTest.php
• tests/Backend/Feature/api/v1/OIDCTest.php

[samuelwei]

@tibroc @lkiesow: Could you please verify that this PR fixes your issue

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/Auth/OIDC/OpenIDConnectClient.php (1)

181-199: ⚠️ Potential issue | 🟡 Minor

Fix stale PHPDoc return contract for authenticate().

The method now returns void, but the docblock still describes a boolean return contract. Please update it to avoid misleading IDE/static-analysis hints.

✏️ Proposed docblock fix

-     * `@return` bool Returns true if authentication is successful, false if the code is missing
+     * `@return` void

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/Auth/OIDC/OpenIDConnectClient.php` around lines 181 - 199, Update the
PHPDoc for the OpenIDConnectClient::authenticate(Request $request) method to
reflect its actual signature: change the `@return` line from "bool Returns true if
authentication is successful, false if the code is missing" to "@return void"
and adjust the short description accordingly (e.g., remove the boolean return
description); also tidy any duplicated `@throws` entries if present so the
docblock accurately matches the method signature and exceptions declared in the
code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@app/Auth/OIDC/OpenIDConnectClient.php`:
- Around line 181-199: Update the PHPDoc for the
OpenIDConnectClient::authenticate(Request $request) method to reflect its actual
signature: change the `@return` line from "bool Returns true if authentication is
successful, false if the code is missing" to "@return void" and adjust the short
description accordingly (e.g., remove the boolean return description); also tidy
any duplicated `@throws` entries if present so the docblock accurately matches the
method signature and exceptions declared in the code.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 14498866-054e-45a1-938e-ee95bd881d38

📥 Commits

Reviewing files that changed from the base of the PR and between e7e08e8 and 6ce7053.

📒 Files selected for processing (11)

• CHANGELOG.md
• app/Auth/OIDC/OIDCCallbackRequest.php
• app/Auth/OIDC/OIDCController.php
• app/Auth/OIDC/OIDCProvider.php
• app/Auth/OIDC/OIDCRedirectRequest.php
• app/Auth/OIDC/OpenIDConnectClient.php
• app/Auth/Shibboleth/ShibbolethCallbackRequest.php
• app/Auth/Shibboleth/ShibbolethController.php
• app/Auth/Shibboleth/ShibbolethRedirectRequest.php
• resources/js/views/ExternalLogin.vue
• resources/js/views/Login.vue

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (2)

• resources/js/views/ExternalLogin.vue
• resources/js/views/Login.vue