From ff79e64fc86b5907d48e4098dc9e3759fb1f0f51 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 12 Apr 2026 02:37:43 +0000
Subject: [PATCH] fix: exempt /chat/login and /chat/oauth/callback from
 forward_auth (#709)

Caddy forward_auth on /chat/* blocked unauthenticated users from
reaching the OAuth login/callback routes (401 instead of redirect).
Add explicit handle blocks for these public routes before the
forward_auth catch-all.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/generators.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/generators.sh b/lib/generators.sh
index 6b4f652..b12e860 100644
--- a/lib/generators.sh
+++ b/lib/generators.sh
@@ -615,6 +615,13 @@ _generate_caddyfile_impl() {
     }
 
     # Chat service — reverse proxy to disinto-chat backend (#705)
+    # OAuth routes bypass forward_auth — unauthenticated users need these (#709)
+    handle /chat/login {
+        reverse_proxy chat:8080
+    }
+    handle /chat/oauth/callback {
+        reverse_proxy chat:8080
+    }
     # Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709)
     handle /chat/* {
         forward_auth chat:8080 {