From 4f69457a68c6bbadd60b59ce333279abc91f1e94 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 23 Mar 2026 17:05:20 +0100
Subject: [PATCH] fix(dev): inject Authorization header from cookie in Vite dev
 proxy

Browser-side fetch('/api/...') calls bypass SvelteKit's handleFetch hook
(which adds the Authorization header from the auth_token cookie for SSR).
As a result, client-side API calls in the dev server always got a 401.

Add a proxy configure hook that extracts the auth_token cookie from incoming
requests and sets it as the Authorization header before forwarding to the
backend. This makes browser-side fetches (history panel, file preview, etc.)
work correctly in dev mode.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/vite.config.ts | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index 4c3e2176..76be0fe1 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -13,7 +13,19 @@ export default defineConfig({
 		proxy: {
 			'/api': {
 				target: process.env.API_PROXY_TARGET || 'http://localhost:8080',
-				changeOrigin: true
+				changeOrigin: true,
+				// Inject Authorization header from the auth_token cookie so that
+				// browser-side fetch('/api/...') calls work the same as SSR fetches
+				// (which go through handleFetch in hooks.server.ts).
+				configure: (proxy) => {
+					proxy.on('proxyReq', (proxyReq, req) => {
+						const cookies = req.headers.cookie ?? '';
+						const match = cookies.match(/auth_token=([^;]+)/);
+						if (match) {
+							proxyReq.setHeader('Authorization', decodeURIComponent(match[1]));
+						}
+					});
+				}
 			}
 		}
 	},