Fix: Auth-Callback setzt Cookie via HTML-Response statt RedirectResponse

2026-04-10 21:27:32 +02:00 · 2026-04-10 21:27:32 +02:00 · f56c2af5cd
commit f56c2af5cd
parent 0d0c06106a
1 changed files with 14 additions and 7 deletions
--- a/app/main.py
+++ b/app/main.py
@ -324,15 +324,22 @@ async def auth_callback(request: Request, code: str = "", state: str = ""):

    tokens = resp.json()
    access_token = tokens.get("access_token", "")
+    expires_in = tokens.get("expires_in", 3600)

-    from fastapi.responses import RedirectResponse
-    response = RedirectResponse("/")
-    response.set_cookie(
-        "access_token", access_token,
-        httponly=True, secure=True, samesite="lax",
-        max_age=tokens.get("expires_in", 3600),
+    # HTML-Response statt RedirectResponse: setzt Cookie UND redirected.
+    # RedirectResponse mit Set-Cookie wird von manchen Browsern bei
+    # 307/302 ignoriert (insb. hinter Reverse-Proxies).
+    return HTMLResponse(
+        f"""<!DOCTYPE html><html><head>
+        <meta http-equiv="refresh" content="0;url=/">
+        </head><body><p>Anmeldung erfolgreich, Weiterleitung...</p></body></html>""",
+        headers={
+            "Set-Cookie": (
+                f"access_token={access_token}; Path=/; Secure; HttpOnly; "
+                f"SameSite=Lax; Max-Age={expires_in}"
+            )
+        },
    )
-    return response


@app.get("/api/auth/login-url")