From 388ba3218bf234f2cacebaf74e740a8bd79b7ecc Mon Sep 17 00:00:00 2001
From: Nayrosk <105997554+nayrosk@users.noreply.github.com>
Date: Mon, 1 Jun 2026 04:57:27 +0200
Subject: [PATCH] fix(ui): bypass service worker for top-level navigations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

HTTP auth challenges (basic, digest, negotiate) only fire the browser's
native credentials dialog when the response comes straight from the
network. Service worker responses bypass the WWW-Authenticate flow, so
reverse-proxy deployments with HTTP auth in front of the gateway show
a bare 401 after the browser's HTTP-auth memory cache expires (e.g. on
full browser restart) — forcing users to clear site data to recover.

Skip event.request.mode === "navigate" so the browser handles those
requests natively. Offline navigation of the app shell is lost, but
the SPA cannot function without network (all API calls go to the
network), so the trade-off is acceptable.

Refs: #85939, #71669, #53274
---
 ui/public/sw.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ui/public/sw.js b/ui/public/sw.js
index 45ef839ef2c4..43127a96e882 100644
--- a/ui/public/sw.js
+++ b/ui/public/sw.js
@@ -49,6 +49,14 @@ self.addEventListener("fetch", (event) => {
     return;
   }
 
+  // Skip top-level navigations so the browser can handle HTTP auth
+  // challenges natively — WWW-Authenticate dialogs are bypassed when the
+  // response comes from a service worker, breaking reverse-proxy setups
+  // with basic/digest auth in front of the gateway.
+  if (event.request.mode === "navigate") {
+    return;
+  }
+
   // Skip non-UI routes — API, RPC, and plugin routes should never be cached.
   if (
     url.pathname.startsWith("/api/") ||