- rt = params[:return_to]
- # Extracts query params as {param1 => [value1], param2 => [value2], ...}
- p = rt.index('?').nil? ? {} : CGI::parse(rt[rt.index('?')+1..-1])
- remote = p["remote"] && p["remote"][0]
- return send_api_token_to(params[:return_to], user, remote)
+ # return_to param's format is 'remote,return_to_url'. This comes from login()
+ # encoding the remote=zbbbb parameter passed by a client asking for a salted
+ # token.
+ remote, return_to_url = params[:return_to].split(',', 2)
+ remote = nil if remote == ''
+ return send_api_token_to(return_to_url, user, remote)