diff --git a/app/main.py b/app/main.py
index 45f03ef..b6977bf 100644
--- a/app/main.py
+++ b/app/main.py
@@ -324,15 +324,22 @@ async def auth_callback(request: Request, code: str = "", state: str = ""):
tokens = resp.json()
access_token = tokens.get("access_token", "")
+ expires_in = tokens.get("expires_in", 3600)
- from fastapi.responses import RedirectResponse
- response = RedirectResponse("/")
- response.set_cookie(
- "access_token", access_token,
- httponly=True, secure=True, samesite="lax",
- max_age=tokens.get("expires_in", 3600),
+ # HTML-Response statt RedirectResponse: setzt Cookie UND redirected.
+ # RedirectResponse mit Set-Cookie wird von manchen Browsern bei
+ # 307/302 ignoriert (insb. hinter Reverse-Proxies).
+ return HTMLResponse(
+ f"""
+
+ Anmeldung erfolgreich, Weiterleitung...
""",
+ headers={
+ "Set-Cookie": (
+ f"access_token={access_token}; Path=/; Secure; HttpOnly; "
+ f"SameSite=Lax; Max-Age={expires_in}"
+ )
+ },
)
- return response
@app.get("/api/auth/login-url")