🐛 Fixed newsletter reply-to verification links failing after signin

ref https://linear.app/ghost/issue/ONC-1658/

- when a customer clicks a newsletter reply-to verification email in a
  browser that isn't signed in to admin, the link sends them through the
  signin redirect introduced in #27316 — but the post-signin replay used
  router.transitionTo, which drops query params not declared on the
  resolved route's controller
- react-fallback is a wildcard route with no queryParams config, so the
  ?verifyEmail=<token> param was silently stripped on replay; the React
  verify-on-mount handler in newsletters.tsx then no-ops because the
  token is missing, and the customer thinks the address didn't save
  (root cause for ONC-1618 and ONC-1642)
- swap to windowProxy.replaceLocation, which is already the auth-flow
  primitive used in authenticated.js and application.js — the hard
  navigation feeds the URL straight to the browser and bypasses
  Ember's URL-rebuilding entirely
- e2e covers the round-trip; verified to fail on unfixed code

Author: 9larsons

e2e/tests/admin/signin.test.ts

@@ -35,4 +35,27 @@ test.describe('Ghost Admin - Signin Redirect', () => {
 
         await postsPage.waitForPageToFullyLoad();
     });
+
+    test('query params on a deep link survive signin redirect', async ({page, ghostAccountOwner}) => {
+        // Newsletter reply-to verification emails point at
+        // /settings/newsletters/?verifyEmail=<token>. If the user clicks the
+        // link in a browser that isn't signed in, the param needs to survive
+        // the signin round-trip, otherwise the verify-on-mount handler in
+        // newsletters.tsx no-ops and the customer thinks their reply-to
+        // address didn't save (ONC-1618 / ONC-1642).
+        await logout(page);
+
+        await page.goto('/ghost/#/settings/newsletters/?verifyEmail=fake-token-xyz');
+
+        const loginPage = new LoginPage(page);
+        await expect(loginPage.signInButton).toBeVisible();
+
+        await loginPage.signIn(ghostAccountOwner.email, ghostAccountOwner.password);
+
+        // The error modal is the signal that the React verify handler ran:
+        // it only renders when newsletters.tsx attempted to redeem a token
+        // and the API rejected it (expected, since the token is fake).
+        await expect(page.getByRole('heading', {name: 'Error verifying email address'})).toBeVisible();
+        expect(page.url()).toContain('verifyEmail=fake-token-xyz');
+    });
 });

ghost/admin/app/services/session.js

@@ -1,5 +1,7 @@
+import AuthConfiguration from 'ember-simple-auth/configuration';
 import ESASessionService from 'ember-simple-auth/services/session';
 import RSVP from 'rsvp';
+import windowProxy from 'ghost-admin/utils/window-proxy';
 import {configureScope} from '@sentry/ember';
 import {getOwner} from '@ember/application';
 import {inject} from 'ghost-admin/decorators/inject';
@@ -91,7 +93,11 @@ export default class SessionService extends ESASessionService {
             const redirectUrl = window.sessionStorage.getItem('ghost-signin-redirect');
             window.sessionStorage.removeItem('ghost-signin-redirect');
             if (redirectUrl && !redirectUrl.startsWith('/signin') && !redirectUrl.startsWith('/signup') && !redirectUrl.startsWith('/setup')) {
-                this.router.transitionTo(redirectUrl);
+                // Hard navigate rather than router.transitionTo: the catch-all
+                // react-fallback route has no controller-declared queryParams,
+                // so transitionTo strips params like ?verifyEmail=<token> used
+                // by newsletter reply-to confirmation links.
+                windowProxy.replaceLocation(`${AuthConfiguration.rootURL}#${redirectUrl}`);
                 return;
             }