From 9ab7b52b6292b8d2b734a9dfd59f4c2de3d06535 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.farh.net>
Date: Sun, 5 Apr 2026 08:49:30 +0000
Subject: [PATCH] fix(GRO-472): exclude OAuth callback from service worker
 caching

The NetworkFirst route for /api/* was intercepting the OIDC callback
(/api/auth/oauth2/callback/authentik?code=...), returning a cached
index.html instead of forwarding to the API server.

Added navigateFallbackDenylist regex to exclude the callback path
from service worker navigation handling, allowing the callback request
to reach the API server normally.

Fixes GRO-472.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/web/vite.config.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/web/vite.config.ts b/apps/web/vite.config.ts
index 066b753..7beaaa5 100644
--- a/apps/web/vite.config.ts
+++ b/apps/web/vite.config.ts
@@ -40,6 +40,9 @@ export default defineConfig({
       },
       workbox: {
         globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
+        navigateFallbackDenylist: [
+          /^\/api\/auth\/oauth2\/callback\//,
+        ],
         runtimeCaching: [
           {
             urlPattern: /^http.*\/api\/.*/i,
-- 
2.52.0