Apply suggestion from @coderabbitai[bot]

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: NandkishorJadoun

server/api/auth/atproto.get.ts

@@ -15,7 +15,10 @@ export default defineEventHandler(async event => {
   }
 
   const query = getQuery(event)
-  const returnTo = query.returnTo?.toString() || '/'
+  const rawReturnTo = query.returnTo?.toString() || '/'
+  // Validate returnTo is a safe relative path (prevent open redirect)
+  const isRelativePath = rawReturnTo.startsWith('/') && !rawReturnTo.startsWith('//') && !rawReturnTo.includes(':')
+  const returnTo = isRelativePath ? rawReturnTo : '/'
 
   setCookie(event, 'auth_return_to', returnTo, {
     maxAge: 60 * 5,