fix: prevent server error on invalid /auth/failure requests

- The /auth/failure route attempted to set the redirect response twice, causing Express to log a server error. The fix returns immediately after the first redirect.
- Added test cases to verify that GET requests to core routes do not cause unintended server-side errors.
- Removed the /api test case from app.test.js to keep the tests focused on core application routes, as the /api route is likely to be removed during customization.

Author: YasharF

app.js

@@ -320,7 +320,7 @@ app.get('/auth/failure', (req, res) => {
   const redirectTarget = baseReturnTo || returnTo;
 
   if (!redirectTarget || !isSafeRedirect(redirectTarget) || redirectTarget === req.originalUrl || redirectTarget.startsWith('/auth/')) {
-    res.redirect('/');
+    return res.redirect('/');
   }
   res.redirect(redirectTarget);
 });

test/app.test.js

@@ -46,12 +46,6 @@ describe('GET /forgot', () => {
   });
 });
 
-describe('GET /api', () => {
-  it('should return 200 OK', (done) => {
-    request(app).get('/api').expect(200, done);
-  });
-});
-
 describe('GET /contact', () => {
   it('should return 200 OK', (done) => {
     request(app).get('/contact').expect(200, done);
@@ -63,3 +57,31 @@ describe('GET /random-url', () => {
     request(app).get('/reset').expect(404, done);
   });
 });
+
+describe('core GET routes do not throw', () => {
+  const routes = [
+    '/',
+    '/login',
+    '/logout',
+    '/signup',
+    '/forgot',
+    '/contact',
+    '/login/2fa',
+    '/login/2fa/totp',
+    '/login/webauthn-start',
+    '/login/verify/testtoken',
+    '/reset/testtoken',
+    '/account',
+    '/account/verify',
+    '/account/verify/testtoken',
+    '/account/2fa/totp/setup',
+    '/account/webauthn/register',
+    '/auth/failure',
+  ];
+
+  routes.forEach((route) => {
+    it(`GET ${route}`, async () => {
+      await request(app).get(route);
+    });
+  });
+});