Consume login.redirect session key in 2FA setup redirect

Pulls the value instead of getting it, and caches the result in __invoke
so the early-return and the Inertia prop share the same resolved URL.
Prevents a stale redirect from lingering in the session after the setup
flow completes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

src/Http/Controllers/TwoFactorSetupController.php

@@ -19,14 +19,15 @@ public function __construct(Request $request)
     public function __invoke(Request $request)
     {
         $user = User::fromUser($request->user());
+        $redirect = $this->redirectPath();
 
         if ($user->hasEnabledTwoFactorAuthentication()) {
-            return redirect($this->redirectPath());
+            return redirect($redirect);
         }
 
         return Inertia::render('auth/two-factor/Setup', [
             'routes' => $this->routes($user),
-            'redirect' => $this->redirectPath(),
+            'redirect' => $redirect,
         ]);
     }
 
@@ -38,7 +39,7 @@ protected function redirectPath()
             }
         }
 
-        if ($redirect = session('login.redirect')) {
+        if ($redirect = session()->pull('login.redirect')) {
             if (! URL::isExternalToApplication($redirect)) {
                 return $redirect;
             }