From d301825e502a1527fe19d72864364e203aafad89 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sun, 17 May 2026 20:55:30 +0200
Subject: [PATCH] feat(auth): remove auth_token cookie injection from Vite dev
 proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With the Spring Session model the browser forwards fa_session itself —
the proxy no longer needs to translate auth_token → Authorization: Basic.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/vite.config.ts | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index 02f2cc48..bb4113c5 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -17,19 +17,9 @@ export default defineConfig({
 		proxy: {
 			'/api': {
 				target: process.env.API_PROXY_TARGET || 'http://localhost:8080',
-				changeOrigin: true,
-				// Inject Authorization header from the auth_token cookie so that
-				// browser-side fetch('/api/...') calls work the same as SSR fetches
-				// (which go through handleFetch in hooks.server.ts).
-				configure: (proxy) => {
-					proxy.on('proxyReq', (proxyReq, req) => {
-						const cookies = req.headers.cookie ?? '';
-						const match = cookies.match(/auth_token=([^;]+)/);
-						if (match) {
-							proxyReq.setHeader('Authorization', decodeURIComponent(match[1]));
-						}
-					});
-				}
+				changeOrigin: true
+				// The browser forwards the fa_session cookie to the backend automatically;
+				// no header injection needed (ADR-020).
 			}
 		}
 	},