Vendor and Admin SSO login now redirects to the correct external URLs

Fixed the sign-in redirect for the Vendor and Admin portals so that, after authenticating through SSO, users are returned to the correct public application address. Previously the redirect could point to an internal server address in the QA (and similar reverse-proxy/Docker) environments, causing the login flow to fail.

When an unauthenticated user opened a protected page in the Vendor or Admin app, the apps built the SSO returnTo link from the raw incoming request URL. In containerized/reverse-proxy deployments (such as QA), that value resolved to an internal address (localhost:3002 for Vendor, localhost:3003 for Admin) rather than the public hostname, so the SSO login could not redirect the user back to the right place. The Mail app already used the configured external URL pattern; Vendor and Admin were not yet consistent with it.

Vendor and Admin users in affected environments can complete the SSO login flow reliably and land back on the page they originally requested, instead of hitting a broken redirect to an internal address. No change to credentials, permissions, or data.

• apps/admin/src/middleware.ts: added an ADMIN_APP_URL constant resolved via getAppUrl("admin", process.env.NEXT_PUBLIC_ADMIN_APP_URL) and built returnTo from that configured URL plus the request path/query, instead of request.url.
• apps/vendor/src/middleware.ts: added a VENDOR_APP_URL constant resolved via getAppUrl("vendor", process.env.NEXT_PUBLIC_VENDOR_APP_URL) and built returnTo the same way.
• Vendor login redirect query parameter changed from target=vendor to app=vendor to match the parameter the auth app actually reads (Admin already used app=admin).
• Scope is limited to the unauthenticated redirect branch of each middleware; total change is +17/-6 across the two files.

Low risk and tightly scoped to two middleware files in the no-session redirect path. The correctness now depends on NEXT_PUBLIC_ADMIN_APP_URL / NEXT_PUBLIC_VENDOR_APP_URL (with getAppUrl fallback) being set correctly per environment; a misconfigured value would redirect to the wrong host. Mitigation: confirm these env vars are set in each deployed environment and verify the redirect targets during QA.

• In QA, open a protected Vendor page while logged out and confirm the SSO redirect returnTo points to the public Vendor host (e.g. cortex-vendorqa.datagainservices.com), not localhost:3002.
• Repeat for Admin and confirm the redirect points to the public Admin host (e.g. cortex-adminqa.datagainservices.com), not localhost:3003.
• Verify the Vendor login URL uses app=vendor and that login completes and returns the user to the originally requested page (including any query string).
• Confirm already-authenticated users and public asset paths are unaffected.