[GH-ISSUE #2209] Web app manifest and 401 status code (Unauthorized) #6595

New Issue

Closed

opened 2026-04-20 17:11:33 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-20 17:11:33 -05:00

Owner

Copy Link

Originally created by @rhclayto on GitHub (Feb 9, 2026).
Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/2209

Pre-submission checklist

• I have searched for existing open or closed issue reports with the same problem.

Description

I ran into this issue (see below). It's an easy change but I don't know if there are security or other implications, & it cannot be user configurable because it must be changed before building the frontend, unless there is some other way of doing this. Is this something that Vikunja would like to do? If so I can do a PR.

From https://vite-pwa-org.netlify.app/guide/faq.html#web-app-manifest-and-401-status-code-unauthorized :

Browsers send requests for the web manifest without credentials] https://web.dev/articles/add-manifest#link-manifest), so if your site sits behind auth, the request will fail with a 401 Unauthorized error – even if the user is logged in.

To send the request with credentials, the needs a crossorigin="use-credentials" attribute, which you can enable via useCredentials in the plugin options:

useCredentials: true

Vikunja Version

v1.0.0

Browser and version

Firefox/Chrome/any browser

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

Originally created by @rhclayto on GitHub (Feb 9, 2026). Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/2209 ### Pre-submission checklist - [x] I have searched for existing open or closed issue reports with the same problem. ### Description I ran into this issue (see below). It's an easy change but I don't know if there are security or other implications, & it cannot be user configurable because it must be changed before building the frontend, unless there is some other way of doing this. Is this something that Vikunja would like to do? If so I can do a PR. From https://vite-pwa-org.netlify.app/guide/faq.html#web-app-manifest-and-401-status-code-unauthorized : Browsers send requests for the web manifest without credentials] https://web.dev/articles/add-manifest#link-manifest), so if your site sits behind auth, the request will fail with a 401 Unauthorized error – even if the user is logged in. To send the request with credentials, the <link rel="manifest"> needs a crossorigin="use-credentials" attribute, which you can enable via useCredentials in the [plugin options](https://github.com/antfu/vite-plugin-pwa/blob/main/src/types.ts#L79): `useCredentials: true` ### Vikunja Version v1.0.0 ### Browser and version Firefox/Chrome/any browser ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots _No response_

GiteaMirror added the waiting for reply label 2026-04-20 17:11:33 -05:00

GiteaMirror closed this issue 2026-04-20 17:11:34 -05:00

GiteaMirror commented 2026-04-20 17:11:36 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Feb 9, 2026):

What exactly was the issue that you ran into?

<!-- gh-comment-id:3870391717 --> @kolaente commented on GitHub (Feb 9, 2026): What exactly was the issue that you ran into?

GiteaMirror commented 2026-04-20 17:11:36 -05:00

Author

Owner

Copy Link

@rhclayto commented on GitHub (Feb 9, 2026):

I have Vikunja behind Authelia, so all routes are protected by cookie auth. By default, the browser doesn't include credentials (here, cookies) with web manifest requests, so those equests are rejected, the browser doesn't get a manifest.json. Changing the Vite setting makes web manifests get sent with credentials, making PWAs work behind auth.

<!-- gh-comment-id:3873094022 --> @rhclayto commented on GitHub (Feb 9, 2026): I have Vikunja behind Authelia, so all routes are protected by cookie auth. By default, the browser doesn't include credentials (here, cookies) with web manifest requests, so those equests are rejected, the browser doesn't get a manifest.json. Changing the Vite setting makes web manifests get sent with credentials, making PWAs work behind auth.

GiteaMirror commented 2026-04-20 17:11:36 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Feb 9, 2026):

Gotcha. That makes more sense now.

Do you want to send a PR?

<!-- gh-comment-id:3874157765 --> @kolaente commented on GitHub (Feb 9, 2026): Gotcha. That makes more sense now. Do you want to send a PR?

GiteaMirror commented 2026-04-20 17:11:37 -05:00

Author

Owner

Copy Link

@rhclayto commented on GitHub (Feb 9, 2026):

🫡

<!-- gh-comment-id:3874457460 --> @rhclayto commented on GitHub (Feb 9, 2026): 🫡

GiteaMirror commented 2026-04-20 17:11:38 -05:00

Author

Owner

Copy Link

@rhclayto commented on GitHub (Feb 9, 2026):

https://github.com/go-vikunja/vikunja/pull/2218

<!-- gh-comment-id:3874523783 --> @rhclayto commented on GitHub (Feb 9, 2026): https://github.com/go-vikunja/vikunja/pull/2218

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gh-readonly-queue/main/pr-2731-7800102f937efa5fbcec6262a1159beb4441caf7

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.0

v1.1.0

v1.0.0

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

v1.0.0-rc0

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

vue3

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

area/api

area/attachments

area/auth

area/avatars

area/backup-restore

area/caldav

area/calendar-view

area/comments

area/config

area/database

area/desktop

area/docker

area/email

area/favorites

area/filters

area/frontend

area/gantt

area/i18n

area/import-export

area/internal-code

area/kanban

area/labels

area/list-view

area/mobile

area/notifications

area/permissions

area/projects

area/pwa

area/recurring-tasks

area/reminders

area/search

area/shortcuts

area/subtasks

area/sync

area/table-view

area/task-editor

area/task-metadata

area/task-relations

area/teams

area/theming

area/time-tracking

area/typesense

area/views

area/webhooks

bug

changes requested

concern/accessibility

concern/performance

concern/regression

concern/ux

confirmed

db/mysql

dependencies

enhancement

good first issue

help wanted

integration/inbound

integration/outbound

kind/bug

kind/feature

needs reproduction

pull-request

Mirrored from GitHub Pull Request

question

security

support

upstream issue

waiting for reply

wontfix

No Label waiting for reply

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#6595