sahat · YasharF · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/app.js b/app.js
@@ -320,7 +320,7 @@ app.get('/auth/failure', (req, res) => {
   const redirectTarget = baseReturnTo || returnTo;
 
   if (!redirectTarget || !isSafeRedirect(redirectTarget) || redirectTarget === req.originalUrl || redirectTarget.startsWith('/auth/')) {
-    res.redirect('/');
+    return res.redirect('/');
   }
   res.redirect(redirectTarget);
 });

diff --git a/test/app.test.js b/test/app.test.js
@@ -46,12 +46,6 @@ describe('GET /forgot', () => {
   });
 });
 
-describe('GET /api', () => {
-  it('should return 200 OK', (done) => {
-    request(app).get('/api').expect(200, done);
-  });
-});
-
 describe('GET /contact', () => {
   it('should return 200 OK', (done) => {
     request(app).get('/contact').expect(200, done);
@@ -63,3 +57,13 @@ describe('GET /random-url', () => {
     request(app).get('/reset').expect(404, done);
   });
 });
+
+describe('Other core GET routes do not cause errors', () => {
+  const routes = ['/logout', '/login/2fa', '/login/2fa/totp', '/login/webauthn-start', '/login/verify/testtoken', '/reset/testtoken', '/account', '/account/verify', '/account/verify/testtoken', '/account/2fa/totp/setup', '/account/webauthn/register', '/auth/failure'];
+
+  routes.forEach((route) => {
+    it(`GET ${route}`, async () => {
+      await request(app).get(route);
+    });
+  });
+});