From 3389252d3a34cae3c2bd2ff0650618cbbaeeef51 Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Wed, 28 Jan 2026 15:33:36 +0100
Subject: [PATCH] fix(todo-web): remove localhost fallbacks triggering local
 network permission

- Remove localhost:3018 pattern from service worker cache strategies
- Update auth store to only use localhost fallback in development mode
- Bump service worker cache version to v3 to force update

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../todo/apps/web/src/lib/stores/auth.svelte.ts | 17 ++++++++++++-----
 apps/todo/apps/web/static/sw.js                 |  4 ++--
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/apps/todo/apps/web/src/lib/stores/auth.svelte.ts b/apps/todo/apps/web/src/lib/stores/auth.svelte.ts
index c85b5144f..366aa6b28 100644
--- a/apps/todo/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/todo/apps/web/src/lib/stores/auth.svelte.ts
@@ -7,17 +7,22 @@ import { browser } from '$app/environment';
 import { initializeWebAuth, type UserData } from '@manacore/shared-auth';
 import { apiClient } from '$lib/api/client';
 
+// Default URLs for local development only
+const DEV_AUTH_URL = 'http://localhost:3001';
+const DEV_BACKEND_URL = 'http://localhost:3018';
+
 // Get auth URL dynamically at runtime - fallback for SSR and client
 function getAuthUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		// Client-side: use injected window variable (set by hooks.server.ts)
-		// Falls back to localhost for local development
 		const injectedUrl = (window as unknown as { __PUBLIC_MANA_CORE_AUTH_URL__?: string })
 			.__PUBLIC_MANA_CORE_AUTH_URL__;
-		return injectedUrl || 'http://localhost:3001';
+		// Only use localhost fallback in development
+		if (injectedUrl) return injectedUrl;
+		return import.meta.env.DEV ? DEV_AUTH_URL : '';
 	}
 	// Server-side (SSR): use Docker internal URL for container-to-container communication
-	return process.env.PUBLIC_MANA_CORE_AUTH_URL || 'http://localhost:3001';
+	return process.env.PUBLIC_MANA_CORE_AUTH_URL || DEV_AUTH_URL;
 }
 
 // Get backend URL dynamically at runtime
@@ -25,9 +30,11 @@ function getBackendUrl(): string {
 	if (browser && typeof window !== 'undefined') {
 		const injectedUrl = (window as unknown as { __PUBLIC_BACKEND_URL__?: string })
 			.__PUBLIC_BACKEND_URL__;
-		return injectedUrl || 'http://localhost:3018';
+		// Only use localhost fallback in development
+		if (injectedUrl) return injectedUrl;
+		return import.meta.env.DEV ? DEV_BACKEND_URL : '';
 	}
-	return process.env.PUBLIC_BACKEND_URL || 'http://localhost:3018';
+	return process.env.PUBLIC_BACKEND_URL || DEV_BACKEND_URL;
 }
 
 // Lazy initialization to avoid SSR issues with localStorage
diff --git a/apps/todo/apps/web/static/sw.js b/apps/todo/apps/web/static/sw.js
index f2af67d36..fba14179a 100644
--- a/apps/todo/apps/web/static/sw.js
+++ b/apps/todo/apps/web/static/sw.js
@@ -1,4 +1,4 @@
-const CACHE_NAME = 'todo-v2';
+const CACHE_NAME = 'todo-v3';
 const OFFLINE_URL = '/offline.html';
 
 // Assets, die immer gecacht werden sollen
@@ -17,7 +17,7 @@ const CACHE_STRATEGIES = {
 		/\.ico$/,
 	],
 	// Nur Netzwerk (für API-Calls und Dev-Server)
-	networkOnly: [/\/api\//, /localhost:3018/, /^\/src\//, /^\/@/, /^\/node_modules\//],
+	networkOnly: [/\/api\//, /^\/src\//, /^\/@/, /^\/node_modules\//],
 };
 
 // Service Worker Installation