From 9731afb77649997f020cbad52c44c592af8024fa Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 22 Mar 2026 12:38:01 +0100
Subject: [PATCH] fix(auth): pass through explicit Authorization header in
 handleFetch

The login action sends Basic auth via an explicit Authorization header.
handleFetch was intercepting this request and returning 401 because no
auth_token cookie exists yet (the user isn't logged in), never forwarding
the credentials to the backend.

Fix: if the outgoing request already has an Authorization header, pass it
through unchanged. Only inject the cookie-based token for requests that
don't provide their own auth.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/hooks.server.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/frontend/src/hooks.server.ts b/frontend/src/hooks.server.ts
index 78c5dae5..37d4823e 100644
--- a/frontend/src/hooks.server.ts
+++ b/frontend/src/hooks.server.ts
@@ -65,6 +65,12 @@ export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {
 	const isApi = request.url.startsWith(apiUrl) || request.url.includes('/api/');
 
 	if (isApi) {
+		// If the request already carries an explicit Authorization header (e.g. the
+		// login action sends Basic auth), pass it through unchanged.
+		if (request.headers.has('Authorization')) {
+			return fetch(request);
+		}
+
 		const token = event.cookies.get('auth_token');
 
 		if (!token) {