Safari embedded auth can get stuck in an infinite redirect / 401 loop

[itayadler]

Summary

When Frontman is embedded cross-origin, Safari can block the session cookie and the client gets stuck in an auth loop.

Symptoms

• Repeated 401s from auth-dependent endpoints such as /api/socket-token and /api/user/me
• Frontman never finishes initializing
• Safari appears to bounce between auth-required states / redirect behavior while other browsers may still work

Root cause

The embedded client relied on cross-site cookies for authentication. Safari's third-party cookie restrictions prevent those cookies from being sent consistently, so embedded API requests fail even though the user can authenticate on the Frontman domain itself.

Expected behavior

Embedded Frontman should be able to authenticate from any origin in all major browsers, including Safari, without depending on third-party cookies.

Proposed fix

• Authenticate in a top-level Frontman popup
• Exchange the authenticated session for a bearer token
• Send that bearer on cross-origin API requests and /api/socket-token
• Remove the embedded dependency on credentials: include
• Ensure CORS explicitly allows Authorization

Acceptance criteria

• Embedded Frontman works in Safari from a cross-origin site
• /api/socket-token and protected /api/* routes accept bearer auth
• The client no longer depends on third-party cookies for embedded auth
• Sign-out clears the stored bearer and reconnecting requires re-authentication