diff --git a/admin_ui/login.html b/admin_ui/login.html
index 7d1f0ac..3da90df 100644
--- a/admin_ui/login.html
+++ b/admin_ui/login.html
@@ -22,7 +22,15 @@
hx-post="/admin/login"
hx-target="#err"
hx-swap="innerHTML"
- hx-on::after-request="if (event.detail.successful) window.location.href = '/admin/'"
+ hx-on::after-request="
+ const xhr = event.detail.xhr;
+ if (event.detail.successful && (xhr.responseText || '').trim() === '') {
+ /* Empty 2xx body = real login. The TOTP-required path returns 2xx
+ with an HTML prompt fragment, which we MUST NOT redirect away
+ from. */
+ window.location.href = '/admin/';
+ }
+ "
>