From 54cb9ece3f7f570f77ac53fb52ddf9fa863abecb Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Tue, 17 Feb 2026 13:44:07 +0200
Subject: [PATCH 1/2] fix(ENG-10262): fixed login url encoding

---
 src/app/core/services/auth.service.ts      | 11 +++++++++--
 src/app/shared/helpers/url-param.helper.ts | 12 ++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/app/core/services/auth.service.ts b/src/app/core/services/auth.service.ts
index b51cb58b9..da0063ce7 100644
--- a/src/app/core/services/auth.service.ts
+++ b/src/app/core/services/auth.service.ts
@@ -8,7 +8,7 @@ import { inject, Injectable, PLATFORM_ID } from '@angular/core';
 import { SignUpModel } from '@core/models/sign-up.model';
 import { ENVIRONMENT } from '@core/provider/environment.provider';
 import { ClearCurrentUser } from '@osf/core/store/user';
-import { urlParam } from '@osf/shared/helpers/url-param.helper';
+import { localUrlParam, urlParam } from '@osf/shared/helpers/url-param.helper';
 import { JsonApiService } from '@osf/shared/services/json-api.service';
 import { LoaderService } from '@osf/shared/services/loader.service';
 
@@ -41,7 +41,14 @@ export class AuthService {
     }
 
     this.loaderService.show();
-    const loginUrl = `${this.casUrl}/login?${urlParam({ service: `${this.webUrl}/login`, next: window.location.href })}`;
+    let loginUrl = null;
+    if (this.environment.webUrl.includes('localhost')) {
+      // CAS should handle auth instead of angular, so we need to pass the next param
+      // in the service param to ensure the user is redirected back to the correct page after login
+      loginUrl = `${this.casUrl}/login?${localUrlParam({ service: `${this.webUrl.replace('4200', '5000')}/login`, next: window.location.href })}`;
+    } else {
+      loginUrl = `${this.casUrl}/login?${urlParam({ service: `${this.webUrl}/login`, next: window.location.href })}`;
+    }
     window.location.href = loginUrl;
   }
 
diff --git a/src/app/shared/helpers/url-param.helper.ts b/src/app/shared/helpers/url-param.helper.ts
index 02e7e98c8..295bd001b 100644
--- a/src/app/shared/helpers/url-param.helper.ts
+++ b/src/app/shared/helpers/url-param.helper.ts
@@ -3,3 +3,15 @@ export const urlParam = (params: Record<string, string>) => {
     .map((entry) => entry.map((comp) => encodeURIComponent(comp)).join('='))
     .join('&');
 };
+
+export const localUrlParam = (params: { service: string; next?: string }): string => {
+  const { service, next } = params;
+
+  if (!next) {
+    return `service=${encodeURIComponent(service)}`;
+  }
+
+  const encodedNext = encodeURIComponent(next);
+  const valueAfterService = `${service}?next=${encodedNext}`;
+  return `service=${encodeURIComponent(valueAfterService)}`;
+};

From ef75a2e116260eefc5a6d8d1fd09261966ac063e Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Tue, 17 Feb 2026 17:01:17 +0200
Subject: [PATCH 2/2] fix(ENG-10262): unified encoding of login

---
 src/app/core/services/auth.service.ts      | 11 ++---------
 src/app/shared/helpers/url-param.helper.ts |  2 +-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/src/app/core/services/auth.service.ts b/src/app/core/services/auth.service.ts
index da0063ce7..be9b1f27c 100644
--- a/src/app/core/services/auth.service.ts
+++ b/src/app/core/services/auth.service.ts
@@ -8,7 +8,7 @@ import { inject, Injectable, PLATFORM_ID } from '@angular/core';
 import { SignUpModel } from '@core/models/sign-up.model';
 import { ENVIRONMENT } from '@core/provider/environment.provider';
 import { ClearCurrentUser } from '@osf/core/store/user';
-import { localUrlParam, urlParam } from '@osf/shared/helpers/url-param.helper';
+import { doubleEncodedUrlParam, urlParam } from '@osf/shared/helpers/url-param.helper';
 import { JsonApiService } from '@osf/shared/services/json-api.service';
 import { LoaderService } from '@osf/shared/services/loader.service';
 
@@ -41,14 +41,7 @@ export class AuthService {
     }
 
     this.loaderService.show();
-    let loginUrl = null;
-    if (this.environment.webUrl.includes('localhost')) {
-      // CAS should handle auth instead of angular, so we need to pass the next param
-      // in the service param to ensure the user is redirected back to the correct page after login
-      loginUrl = `${this.casUrl}/login?${localUrlParam({ service: `${this.webUrl.replace('4200', '5000')}/login`, next: window.location.href })}`;
-    } else {
-      loginUrl = `${this.casUrl}/login?${urlParam({ service: `${this.webUrl}/login`, next: window.location.href })}`;
-    }
+    const loginUrl = `${this.casUrl}/login?${doubleEncodedUrlParam({ service: `${this.webUrl}/login`, next: window.location.href })}`;
     window.location.href = loginUrl;
   }
 
diff --git a/src/app/shared/helpers/url-param.helper.ts b/src/app/shared/helpers/url-param.helper.ts
index 295bd001b..7d214aee3 100644
--- a/src/app/shared/helpers/url-param.helper.ts
+++ b/src/app/shared/helpers/url-param.helper.ts
@@ -4,7 +4,7 @@ export const urlParam = (params: Record<string, string>) => {
     .join('&');
 };
 
-export const localUrlParam = (params: { service: string; next?: string }): string => {
+export const doubleEncodedUrlParam = (params: { service: string; next?: string }): string => {
   const { service, next } = params;
 
   if (!next) {