From e3e2a565e78e842f2af9f6046adbc07abe78f7d7 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Thu, 23 Oct 2025 22:27:11 +1100
Subject: [PATCH] Oh - we do use a 401, but with a Location header

---
 app/controllers/api/forward_auth_controller.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/forward_auth_controller.rb b/app/controllers/api/forward_auth_controller.rb
index e39331a..3c8a3a2 100644
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -133,8 +133,10 @@ module Api
 
       session[:return_to_after_authenticating] = original_url
 
-      # Return 302 redirect to login page
-      redirect_to "#{base_url}/signin", allow_other_host: true
+      # Return 401 Unauthorized with Location header
+      # Caddy will automatically redirect to this URL
+      response.headers["Location"] = "#{base_url}/signin"
+      head :unauthorized
     end
 
     def render_forbidden(reason = nil)