From 1375ce0634ae56c08ebcd4955f556dbde09a3ecd Mon Sep 17 00:00:00 2001
From: Nathan Esquenazi <nesquena@gmail.com>
Date: Wed, 1 Apr 2026 22:53:50 -0700
Subject: [PATCH] fix: add withCredentials to EventSource for reverse proxy
 auth

The original PR correctly used new URL(path, location.origin) to strip
credentials from fetch/EventSource URLs, and added credentials:'include'
to all fetch() calls. However, EventSource requires { withCredentials: true }
as a second constructor argument for cookies/auth headers to be forwarded.
Without this, SSE streaming breaks behind a reverse proxy with basic auth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 static/messages.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/static/messages.js b/static/messages.js
index b1e4b0e..c2413c2 100644
--- a/static/messages.js
+++ b/static/messages.js
@@ -169,7 +169,7 @@ async function send(){
             const st=await api(`/api/chat/stream/status?stream_id=${encodeURIComponent(streamId)}`);
             if(st.active){
               setStatus('Reconnected');
-              _wireSSE(new EventSource(new URL(`/api/chat/stream?stream_id=${encodeURIComponent(streamId)}`,location.origin).href));
+              _wireSSE(new EventSource(new URL(`/api/chat/stream?stream_id=${encodeURIComponent(streamId)}`,location.origin).href,{withCredentials:true}));
               return;
             }
           }catch(_){}
@@ -214,7 +214,7 @@ async function send(){
     if(!S.session||!INFLIGHT[S.session.session_id]){setBusy(false);setStatus('Error: Connection lost');}
   }
 
-  _wireSSE(new EventSource(new URL(`/api/chat/stream?stream_id=${encodeURIComponent(streamId)}`,location.origin).href));
+  _wireSSE(new EventSource(new URL(`/api/chat/stream?stream_id=${encodeURIComponent(streamId)}`,location.origin).href,{withCredentials:true}));
 
 }