From 7200a6735f82f570301d1fae4a694ca79455c180 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Thu, 23 Oct 2025 23:52:01 +1100
Subject: [PATCH] OK - 302 + Location

---
 app/controllers/api/forward_auth_controller.rb | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api/forward_auth_controller.rb b/app/controllers/api/forward_auth_controller.rb
index 3c8a3a2..d3d8c80 100644
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -131,12 +131,22 @@ module Api
         "https://#{request.headers['Host']}"
       end
 
+      # Debug: log what we're redirecting to after login
+      Rails.logger.info "ForwardAuth: Will redirect to after login: #{original_url}"
+
       session[:return_to_after_authenticating] = original_url
 
-      # Return 401 Unauthorized with Location header
-      # Caddy will automatically redirect to this URL
-      response.headers["Location"] = "#{base_url}/signin"
-      head :unauthorized
+      # Build login URL with redirect parameters like Authelia
+      login_url = URI.parse("#{base_url}/signin")
+      login_url.query_params = {
+        rd: original_url,
+        rm: request.method
+      }.to_query
+
+      # Return 302 Found directly to login page (matching Authelia)
+      # This is the same as Authelia's StatusFound response
+      Rails.logger.info "Setting 302 redirect to: #{login_url}"
+      redirect_to login_url.to_s, allow_other_host: true, status: :found
     end
 
     def render_forbidden(reason = nil)