## Summary
Fixes CORS errors in HTTPS environments where the auth service worker
blocked cross-origin redirects to Google Cloud Storage.
## Problem
The service worker was using `mode: 'same-origin'` which prevented
following redirects when `/api/view` returns a 302 redirect to GCS:
```
Unsafe attempt to load URL https://storage.googleapis.com/...
from frame with URL https://testcloud.comfy.org/auth-sw.js.
Domains, protocols and ports must match.
```
This only occurred in HTTPS/cloud environments where media is served
from GCS. Localhost/HTTP test environments serve files directly without
redirects, so the issue wasn't caught there.
## Solution
Changed redirect handling from automatic to manual:
1. **Initial request to `/api/view`**: Sends WITH auth headers
(validates user access)
2. **Detect redirect response**: Checks for 301/302/opaqueredirect
3. **Follow redirect to GCS**: Fetches WITHOUT auth headers (signed URL
has built-in auth)
### Key Changes
- Removed `mode: 'same-origin'` (was blocking cross-origin redirects)
- Changed `redirect: event.request.redirect` to `redirect: 'manual'`
- Added manual redirect handling that follows to GCS without Firebase
auth headers
## Why This Works
The two requests have different authentication mechanisms:
- **`/api/view` request**: Uses Firebase auth header (backend validates
user access)
- **GCS request**: Uses signed URL with query params (`Signature=...`,
`GoogleAccessId=...`, `Expires=...`)
The security check still happens on the initial `/api/view` request, but
we allow the redirect to GCS to use its own authentication system.
## Testing
- Typecheck passed
- Should be tested in HTTPS cloud environment with media files stored in
GCS
┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-6265-bugfix-fix-auth-service-worker-to-handle-cross-origin-redirects-to-GCS-2976d73d365081d0b124db4918f8194e)
by [Unito](https://www.unito.io)
## Summary
Added Service Worker to inject Firebase auth headers into browser-native
`/api/view` requests (img, video, audio tags) for cloud distribution.
## Changes
- **What**: Implemented [Service
Worker](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API)
to intercept and authenticate media requests that cannot natively send
custom headers
- **Dependencies**: None (uses native Service Worker API)
## Implementation Details
**Tree-shaking**: Uses compile-time `isCloud` constant - completely
removed from localhost/desktop builds (verified via bundle analysis).
Verify yourself by building the app and `grep -r
"registerAuthServiceWorker\|setupAuth" dist/`
**Caching**: 50-minute auth header cache with automatic invalidation on
login/logout to prevent redundant token fetches.
**Message Flow**:
```mermaid
sequenceDiagram
participant IMG as Browser
participant SW as Service Worker
participant MT as Main Thread
participant FB as Firebase Auth
IMG->>SW: GET /api/view/image.png
SW->>SW: Check cache (50min TTL)
alt Cache miss
SW->>MT: REQUEST_AUTH_HEADER
MT->>FB: getAuthHeader()
FB-->>MT: Bearer token
MT-->>SW: AUTH_HEADER_RESPONSE
SW->>SW: Cache token
end
SW->>IMG: Fetch with Authorization header
Note over SW,MT: On login/logout: INVALIDATE_AUTH_HEADER
```
## Review Focus
- **Same-origin mode**: Service Worker uses `mode: 'same-origin'` to
allow custom headers (browser-native requests default to `no-cors` which
strips headers)
- **Request deduplication**: Prevents concurrent auth header requests
from timing out
- **Build verification**: Confirm `register-*.js` absent in localhost
builds, present (~3.2KB) in cloud builds
┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-6139-auth-add-service-worker-on-cloud-distribution-to-attach-auth-header-to-browser-native--2916d73d3650812698dccd07d943ab3c)
by [Unito](https://www.unito.io)
