From 904407f0ad89d1d4d8c1b0af04a5bfb91625c400 Mon Sep 17 00:00:00 2001
From: Henning Perl <henning.perl@ory.sh>
Date: Tue, 26 Mar 2024 13:02:04 +0100
Subject: [PATCH] fix: return_to URL in maybeInitiate2FA

---
 src/pkg/middleware.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/pkg/middleware.ts b/src/pkg/middleware.ts
index 75b3ec1a..84dac7b2 100644
--- a/src/pkg/middleware.ts
+++ b/src/pkg/middleware.ts
@@ -21,11 +21,15 @@ const maybeInitiate2FA =
   (req: Request, res: Response, apiBaseUrl: string) => (err: AxiosError) => {
     // 403 on toSession means that we need to request 2FA
     if (err.response && err.response.status === 403) {
+      const return_to = req.header("x-original-uri") ?? req.url.toString()
       res.redirect(
         getUrlForFlow(
           apiBaseUrl,
           "login",
-          new URLSearchParams({ aal: "aal2", return_to: req.url.toString() }),
+          new URLSearchParams({
+            aal: "aal2",
+            return_to,
+          }),
         ),
       )
       return true