[WEB-4861] fix: update redirection path in MagicSignInEndpoint to home page

[dheeru0198]

Description

This fix will redirect the user to home page when they login via magic sign-in option.

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Test Scenarios

1. Navigate to the Plane sign-up page and create a new account using an email address (e.g., [user@company.com](mailto:user@company.com)), but skip the password setup during the onboarding process. (This may involve selecting an option to defer password creation or using magic link/email verification to proceed without setting a password immediately.)
2. Complete the initial onboarding (e.g., create workspace, etc.) without setting a password.
3. Sign out of the account.
4. Sign in again using the same email address via magic link flow.
5. Upon redirection, the user will be taken to home page.

Summary by CodeRabbit

• Bug Fixes
  • Post–magic-link sign-in now redirects users who have an auto-set password and have completed onboarding directly to the home page instead of the set-password screen. This removes an unnecessary step and streamlines first-access after sign-in; custom next-links and other redirect behaviors are preserved.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adjusts MagicSignInEndpoint.post redirect: when an existing user has is_password_autoset and profile.is_onboarded, the redirect path becomes the site root ("/") instead of accounts/set-password. Other authentication logic and error handling remain unchanged.

Changes

Cohort / File(s)	Summary
Auth: Magic sign-in redirect tweak apps/api/plane/authentication/views/app/magic.py	Changed redirect path to / when user exists with is_password_autoset and profile.is_onboarded; no signature changes; rest of flow unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant API as MagicSignInEndpoint
  participant Redir as Redirect Handler

  User->>API: POST /magic-sign-in
  API->>API: Validate token, find/create user
  alt user exists and is_password_autoset && profile.is_onboarded
    API->>Redir: path = "/"
  else other cases
    API->>Redir: path = previous logic (e.g., accounts/set-password or next_path)
  end
  Redir-->>User: 302 redirect to base_host + path
  note over API,Redir: Only the chosen path for this condition changed

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• sriramveeraghanta
• vamsikrishnamathala

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly describes the primary change—updating MagicSignInEndpoint's redirection to the home page—and includes the tracking ticket [WEB-4861]. It is concise, specific, and avoids noisy details, so a reviewer scanning history can quickly understand the main intent. Therefore it accurately reflects the main changeset.
Description Check	✅ Passed	The PR description includes a clear brief of the change, correctly marks the Type of Change as a bug fix, and provides step-by-step test scenarios that validate the new redirection behavior. These elements satisfy the template's essential sections and give reviewers sufficient context to understand and verify the change. Non-critical sections like screenshots and references are missing but are not required for this bugfix.

Poem

I hopped through links, a tiny trail,
Switched paths to home — no password wail.
Magic light led straight and true,
Root is warm, the sky is blue.
— a rabbit’s cheer for this small tweak 🐇✨

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/login-user-redirect

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[makeplane]

Pull Request Linked with Plane Work Items

• [WEB-4861] Pre-populated Email Field Missing on Password Setup Page After Sign-Out and Re-Sign-In

Comment Automatically Generated by Plane

[Copilot]

Pull Request Overview

This PR fixes a redirection issue in the magic sign-in flow where users with auto-set passwords who have completed onboarding were being incorrectly redirected to the password setup page instead of the home page.

• Updates the redirection logic in MagicSignInEndpoint to redirect onboarded users to the home page
• Removes the unnecessary password setup redirection for users who have already completed onboarding

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/api/plane/authentication/views/app/magic.py (1)

114-118: Open redirect: validate next_path on the success path

Here next_path is used raw. If an attacker posts next_path=https://evil.com, urljoin(base_host, next_path) will send users off-site. In error branches you validate with validate_next_path, and MagicSignUpEndpoint does this correctly—mirror that here.

-                path = (
-                    str(next_path)
-                    if next_path
-                    else str(get_redirection_path(user=user))
-                )
+                path = (
+                    str(validate_next_path(next_path))
+                    if next_path
+                    else str(get_redirection_path(user=user))
+                )

🧹 Nitpick comments (2)

apps/api/plane/authentication/views/app/magic.py (2)

110-111: Prefer "/" over empty string for home redirection

Using path = "" relies on urljoin quirks and the trailing-slash behavior of base_host. "/" is explicit and avoids edge cases if base_host(...) changes format.

-                path = ""
+                path = "/"

---

109-118: Confirm scope: should all magic sign-ins land on home?

Current logic redirects to home only when user.is_password_autoset and profile.is_onboarded. If the product requirement is “all magic sign-ins → home,” drop the guard; if not, keep as-is and add a quick note/test to lock intent.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 85f23b4 and e10e831.

📒 Files selected for processing (1)

• apps/api/plane/authentication/views/app/magic.py (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript)

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/api/plane/authentication/views/app/magic.py (1)

115-118: Fix open-redirect: validate next_path in success flow

next_path is used without validation in MagicSignIn success path — validate it like other branches to prevent external redirects.

File: apps/api/plane/authentication/views/app/magic.py (around the path assignment in MagicSignInEndpoint.post; originally lines 115-118)

Apply this minimal patch:

-            else:
-                # Get the redirection path
-                path = (
-                    str(next_path)
-                    if next_path
-                    else str(get_redirection_path(user=user))
-                )
+            else:
+                # Get the redirection path (validate any provided next_path)
+                path = (
+                    str(validate_next_path(next_path))
+                    if next_path
+                    else str(get_redirection_path(user=user))
+                )

Optional: if next_path should be honored when present even for autoset+onboarded users, use:

-            if user.is_password_autoset and profile.is_onboarded:
-                # Redirect to the home page
-                path = "/"
+            if user.is_password_autoset and profile.is_onboarded:
+                # Redirect to the home page (or a validated next_path if provided)
+                path = (
+                    str(validate_next_path(next_path))
+                    if next_path
+                    else "/"
+                )

Confirm whether next_path should take precedence when present, or whether forcing "/" is the intended behavior for this flow.

♻️ Duplicate comments (1)

apps/api/plane/authentication/views/app/magic.py (1)

110-111: Correct: redirecting to root is clear and matches the PR goal.

Explicit "/" is unambiguous and resolves the earlier feedback about empty strings.

🧹 Nitpick comments (1)

apps/api/plane/authentication/views/app/magic.py (1)

110-111: Nit: extract a HOME_PATH constant to avoid magic strings.

Keeps intent obvious and avoids scattering "/".

Add near the imports:

HOME_PATH = "/"

And update this line:

-                path = "/"
+                path = HOME_PATH

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e10e831 and 993f632.

📒 Files selected for processing (1)

• apps/api/plane/authentication/views/app/magic.py (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript)

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}