From 1212e0f22e430de3c1a4f55182553a7be9d6b73b Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Fri, 24 Oct 2025 11:52:58 +1100
Subject: [PATCH] Allow redirection to 3rd party sites

---
 README.md                              | 8 +++++++-
 app/controllers/sessions_controller.rb | 6 +++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 8192a11..d9ca5d2 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,13 @@ Clinch gives you one place to manage users and lets any web app authenticate aga
 
 Do you host your own web apps? MeTube, Kavita, Audiobookshelf, Gitea? Rather than managing all those separate user accounts, set everyone up on Clinch and let it do the authentication and user management.
 
-**Clinch is a lightweight alternative to [Authelia](https://www.authelia.com) and [Authentik](https://goauthentik.io)**, designed for simplicity and ease of deployment.
+Clinch sits in a sweet spot between two excellent open-source identity solutions:
+
+**[Authelia](https://www.authelia.com)** is a fantastic choice for those who prefer external user management through LDAP and enjoy comprehensive YAML-based configuration. It's lightweight, secure, and works beautifully with reverse proxies.
+
+**[Authentik](https://goauthentik.io)** is an enterprise-grade powerhouse offering extensive protocol support (OAuth2, SAML, LDAP, RADIUS), advanced policy engines, and distributed "outpost" architecture for complex deployments.
+
+**Clinch** offers a middle ground with built-in user management, a modern web interface, and focused SSO capabilities (OIDC + ForwardAuth). It's perfect for users who want self-hosted simplicity without external dependencies or enterprise complexity.
 
 ---
 
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 0853874..d5b9973 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -41,7 +41,7 @@ class SessionsController < ApplicationController
 
     # Sign in successful
     start_new_session_for user
-    redirect_to after_authentication_url, notice: "Signed in successfully."
+    redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
   end
 
   def verify_totp
@@ -71,7 +71,7 @@ class SessionsController < ApplicationController
           session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
         end
         start_new_session_for user
-        redirect_to after_authentication_url, notice: "Signed in successfully."
+        redirect_to after_authentication_url, notice: "Signed in successfully.", allow_other_host: true
         return
       end
 
@@ -83,7 +83,7 @@ class SessionsController < ApplicationController
           session[:return_to_after_authenticating] = session.delete(:totp_redirect_url)
         end
         start_new_session_for user
-        redirect_to after_authentication_url, notice: "Signed in successfully using backup code."
+        redirect_to after_authentication_url, notice: "Signed in successfully using backup code.", allow_other_host: true
         return
       end