From b090f8b810964e34ec38dba14e1408100fc4ce8f Mon Sep 17 00:00:00 2001
From: "groombook-engineer[bot]"
 <269742240+groombook-engineer[bot]@users.noreply.github.com>
Date: Sun, 5 Apr 2026 08:55:07 +0000
Subject: [PATCH] fix(GRO-472): exclude OAuth callback from service worker
 caching (#228)

The NetworkFirst route for /api/* was intercepting the OIDC callback
(/api/auth/oauth2/callback/authentik?code=...), returning a cached
index.html instead of forwarding to the API server.

Added navigateFallbackDenylist regex to exclude the callback path
from service worker navigation handling, allowing the callback request
to reach the API server normally.

Fixes GRO-472.

Co-authored-by: Flea Flicker <flea-flicker@groombook.farh.net>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 apps/web/vite.config.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/web/vite.config.ts b/apps/web/vite.config.ts
index 066b753..7beaaa5 100644
--- a/apps/web/vite.config.ts
+++ b/apps/web/vite.config.ts
@@ -40,6 +40,9 @@ export default defineConfig({
       },
       workbox: {
         globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
+        navigateFallbackDenylist: [
+          /^\/api\/auth\/oauth2\/callback\//,
+        ],
         runtimeCaching: [
           {
             urlPattern: /^http.*\/api\/.*/i,