marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

bug(frontend): SvelteKit prerender-crawl bakes redirect-to-login into static HTML for protected routes (HIGH, prod-blocking) #514

New Issue
Closed
opened 2026-05-11 16:52:24 +02:00 by marcel · 0 comments
marcel commented 2026-05-11 16:52:24 +02:00
Owner
Copy Link

Summary

svelte.config.js lists /hilfe/transkription as a prerender entry. SvelteKit's default prerender.crawl = true then follows nav links from that page and tries to prerender /, /documents, /persons, /geschichten, /stammbaum, … Those routes' load functions throw redirect(302, '/login') when the build-time request has no auth cookie. SvelteKit captures that redirect and emits a static HTML file:

<script>location.href="/login";</script><meta http-equiv="refresh" content="0;url=/login">

These prerendered files (build/prerendered/index.html, build/prerendered/documents.html, etc.) are served before the runtime hooks.server.ts ever runs. So an authenticated user with a valid auth_token cookie still gets the static "redirect to /login" response — every time, forever.

Reproduction (on staging right now)

$ ls /app/build/prerendered/
documents.html  geschichten.html  index.html  persons.html  stammbaum.html  hilfe/

$ head -c 100 /app/build/prerendered/index.html
<script>location.href="/login";</script><meta http-equiv="refresh" content="0;url=/login">

$ curl -H "Cookie: auth_token=Basic <valid>" -o - http://127.0.0.1:3001/
<script>location.href="/login";</script>...   ← same baked HTML, no handler runs

Why local dev works

Vite dev mode doesn't prerender — every request runs through the real handle chain. The bug only manifests in npm run build output.

Impact

  • 🔴 Login impossible from production / staging. Users authenticate successfully (cookie set, 303 to /), but / serves the baked bounce-back HTML and they appear stuck on /login.
  • Affects every protected route reachable via nav from /hilfe/transkription (the only intentional prerender entry).

Fix

// svelte.config.js
prerender: {
    entries: ['/hilfe/transkription'],
    crawl: false   // do NOT follow links and prerender them
}

With crawl: false, SvelteKit only prerenders the explicit entries. The dynamic routes will not be touched at build time.

Discovered

Deploying staging via #497 / #499. Cookie was set correctly, backend accepted the credentials, but every page in the browser bounced back to /login. Inspecting the production build artifacts found the baked HTML files.

## Summary `svelte.config.js` lists `/hilfe/transkription` as a prerender entry. SvelteKit's default `prerender.crawl = true` then **follows nav links** from that page and tries to prerender `/`, `/documents`, `/persons`, `/geschichten`, `/stammbaum`, … Those routes' `load` functions throw `redirect(302, '/login')` when the build-time request has no auth cookie. SvelteKit captures that redirect and emits a static HTML file: ```html <script>location.href="/login";</script><meta http-equiv="refresh" content="0;url=/login"> ``` These prerendered files (`build/prerendered/index.html`, `build/prerendered/documents.html`, etc.) are served **before** the runtime `hooks.server.ts` ever runs. So an authenticated user with a valid `auth_token` cookie still gets the static "redirect to /login" response — every time, forever. ## Reproduction (on staging right now) ``` $ ls /app/build/prerendered/ documents.html geschichten.html index.html persons.html stammbaum.html hilfe/ $ head -c 100 /app/build/prerendered/index.html <script>location.href="/login";</script><meta http-equiv="refresh" content="0;url=/login"> $ curl -H "Cookie: auth_token=Basic <valid>" -o - http://127.0.0.1:3001/ <script>location.href="/login";</script>... ← same baked HTML, no handler runs ``` ## Why local dev works Vite dev mode doesn't prerender — every request runs through the real handle chain. The bug only manifests in `npm run build` output. ## Impact - **🔴 Login impossible from production / staging.** Users authenticate successfully (cookie set, 303 to `/`), but `/` serves the baked bounce-back HTML and they appear stuck on `/login`. - Affects every protected route reachable via nav from `/hilfe/transkription` (the only intentional prerender entry). ## Fix ```js // svelte.config.js prerender: { entries: ['/hilfe/transkription'], crawl: false // do NOT follow links and prerender them } ``` With `crawl: false`, SvelteKit only prerenders the explicit entries. The dynamic routes will not be touched at build time. ## Discovered Deploying staging via #497 / #499. Cookie was set correctly, backend accepted the credentials, but every page in the browser bounced back to `/login`. Inspecting the production build artifacts found the baked HTML files.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#514
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?