From 732a4bda558dee5f8970972fbcab311a49d00d9f Mon Sep 17 00:00:00 2001 From: shashank-sn Date: Mon, 29 Jun 2026 07:33:07 +0530 Subject: [PATCH 1/2] fix: add /embed/ and /.well-known/workflow/ to self-hosting proxy whitelist MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On self-hosted deployments (NEXT_PUBLIC_IS_CAP !== "true"), the proxy redirects unwhitelisted paths to /login. The /embed/ route breaks iframe embeds, and /.well-known/workflow/v1/* routes needed by the workflow/queue system return the SPA shell instead of routing to their handlers. Only whitelisting /.well-known/workflow/ (not the entire /.well-known/ namespace) — the workflow prefix is the specific sub-path that needs bypass, keeping other well-known URIs behind the auth gate. Fixes #1768, fixes #1774, fixes #1944, fixes #906 Co-authored-by: CommandCodeBot --- apps/web/proxy.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/web/proxy.ts b/apps/web/proxy.ts index 2bd79a183d..67e096cee7 100644 --- a/apps/web/proxy.ts +++ b/apps/web/proxy.ts @@ -55,7 +55,9 @@ export async function proxy(request: NextRequest) { path.startsWith("/self-hosting") || path.startsWith("/download") || path.startsWith("/terms") || - path.startsWith("/verify-otp") + path.startsWith("/verify-otp") || + path.startsWith("/embed/") || + path.startsWith("/.well-known/workflow/") ) && process.env.NODE_ENV !== "development" ) From 795b6148cee1fb334ca97578641d08b42befb88f Mon Sep 17 00:00:00 2001 From: shashank-sn Date: Mon, 29 Jun 2026 08:12:05 +0530 Subject: [PATCH 2/2] fix: correct whitelist indentation in proxy.ts Align the new /embed/ and /.well-known/workflow/ entries with the surrounding tab-indented path.startsWith calls. Co-authored-by: CommandCodeBot --- apps/web/proxy.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/web/proxy.ts b/apps/web/proxy.ts index 67e096cee7..a14c79ea47 100644 --- a/apps/web/proxy.ts +++ b/apps/web/proxy.ts @@ -56,8 +56,8 @@ export async function proxy(request: NextRequest) { path.startsWith("/download") || path.startsWith("/terms") || path.startsWith("/verify-otp") || - path.startsWith("/embed/") || - path.startsWith("/.well-known/workflow/") + path.startsWith("/embed/") || + path.startsWith("/.well-known/workflow/") ) && process.env.NODE_ENV !== "development" )