fix(backend): use redirect:'manual' in frontend API proxy fetch

brkalow · claude · brkalow · commit 184e184e6ccd · 2026-03-27T15:27:30.000-05:00
fetch() defaults to redirect:'follow', which causes it to chase
same-origin redirects server-side. When FAPI returns a 302 back to
the app origin (e.g. after OAuth callback), the proxy's fetch follows
the redirect internally — hitting the app without auth cookies —
instead of passing the 302 to the browser. This breaks OAuth flows
by rendering the sign-in page at the callback URL.

Adding redirect:'manual' ensures the 302 is returned to the browser
as-is, letting the browser handle the navigation with proper cookies.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/backend/src/proxy.ts b/packages/backend/src/proxy.ts
@@ -272,6 +272,11 @@ export async function clerkFrontendApiProxy(request: Request, options?: Frontend
     const fetchOptions: RequestInit = {
       method: request.method,
       headers,
+      // Return redirects as-is instead of following them server-side.
+      // Without this, fetch() follows same-origin redirects internally,
+      // which bypasses the browser and breaks flows like OAuth callbacks
+      // where FAPI redirects back to the app origin.
+      redirect: 'manual',
       // @ts-expect-error - duplex is required for streaming bodies but not in all TS definitions
       duplex: hasBody ? 'half' : undefined,
     };
