From 4ed2cecec54100d91382ac25d270478e560fb828 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Mon, 30 Mar 2026 17:32:44 -0700
Subject: [PATCH] Fix SSO redirect failing with htmx login form

The login form uses hx-post, so htmx sends the POST via fetch. A 302
redirect to the cross-origin service callback URL fails silently because
fetch follows the redirect but gets blocked by CORS. Use HX-Redirect
header instead, which tells htmx to perform a full page navigation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/ui/handlers_auth.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/ui/handlers_auth.go b/internal/ui/handlers_auth.go
index 5c33bb9..bada966 100644
--- a/internal/ui/handlers_auth.go
+++ b/internal/ui/handlers_auth.go
@@ -211,6 +211,14 @@ func (u *UIServer) finishLogin(w http.ResponseWriter, r *http.Request, acct *mod
 	// SSO redirect flow: issue authorization code and redirect to service.
 	if ssoNonce != "" {
 		if callbackURL, ok := u.buildSSOCallback(r, ssoNonce, acct.ID); ok {
+			// Security: htmx follows 302 redirects via fetch, which fails
+			// cross-origin (no CORS on the service callback). Use HX-Redirect
+			// so htmx performs a full page navigation instead.
+			if isHTMX(r) {
+				w.Header().Set("HX-Redirect", callbackURL)
+				w.WriteHeader(http.StatusOK)
+				return
+			}
 			http.Redirect(w, r, callbackURL, http.StatusFound)
 			return
 		}