diff --git a/backend/LexBoxApi/Auth/AuthKernel.cs b/backend/LexBoxApi/Auth/AuthKernel.cs
index 38fae368b..69065a040 100644
--- a/backend/LexBoxApi/Auth/AuthKernel.cs
+++ b/backend/LexBoxApi/Auth/AuthKernel.cs
@@ -87,9 +87,11 @@ public static void AddLexBoxAuth(IServiceCollection services,
                             context.Request.Headers.Authorization.ToString().StartsWith("Bearer") &&
                             context.RequestServices.GetService<IOptions<OpenIdOptions>>()?.Value.Enable == true)
                         {
+                            //todo this breaks CanUseBearerAuth test
                             //fow now this will use oauth
                             return OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
                         }
+
                         if (context.Request.IsJwtRequest())
                         {
                             return JwtBearerDefaults.AuthenticationScheme;
@@ -100,6 +102,7 @@ public static void AddLexBoxAuth(IServiceCollection services,
                         {
                             return CookieAuthenticationDefaults.AuthenticationScheme;
                         }
+
                         if (context.Request.IsJwtOverBasicAuth(out var jwt))
                         {
                             context.Features.Set(new JwtOverBasicAuthFeature(jwt));
@@ -114,8 +117,23 @@ public static void AddLexBoxAuth(IServiceCollection services,
                 configuration.Bind("Authentication:Cookie", options);
                 options.LoginPath = "/login";
                 options.Cookie.Name = AuthCookieName;
-                // options.ForwardChallenge = JwtBearerDefaults.AuthenticationScheme;
                 options.ForwardForbid = JwtBearerDefaults.AuthenticationScheme;
+                options.Events = new()
+                {
+                    OnRedirectToLogin = context =>
+                    {
+                        if (context.Request.Path.StartsWithSegments("/api/oauth") &&
+                            context.Response.StatusCode == StatusCodes.Status200OK)
+                        {
+                            context.Response.Redirect(context.RedirectUri);
+                        }
+                        else
+                        {
+                            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                        }
+                        return Task.CompletedTask;
+                    }
+                };
             })
             .AddJwtBearer(options =>
             {
@@ -157,6 +175,7 @@ public static void AddLexBoxAuth(IServiceCollection services,
                     googleOptions.ClientId = googleConfig.ClientId;
                     googleOptions.ClientSecret = googleConfig.ClientSecret;
                 }
+
                 googleOptions.CallbackPath = "/api/login/signin-google";
                 googleOptions.Events.OnTicketReceived = async context =>
                 {
diff --git a/frontend/src/lib/app.postcss b/frontend/src/lib/app.postcss
index 7d170db1f..ee5ff9963 100644
--- a/frontend/src/lib/app.postcss
+++ b/frontend/src/lib/app.postcss
@@ -10,6 +10,7 @@
   @media (prefers-color-scheme: dark) {
     :root {
       --alert-link-color: #4dd0ff;
+      --alert-warning-link-color: #1537e9;
     }
   }
 }
@@ -167,6 +168,10 @@ input[readonly]:focus {
   color: var(--alert-link-color, #0024b9);
 }
 
+.alert-warning a:not(.btn) {
+  color: var(--alert-warning-link-color, var(--alert-link-color, #0024b9));
+}
+
 .collapse input:hover ~ .collapse-title {
   @apply opacity-70 transition-opacity;
 }
diff --git a/frontend/src/lib/notify/Notify.svelte b/frontend/src/lib/notify/Notify.svelte
index 1d0bd4ca7..6d3f8a064 100644
--- a/frontend/src/lib/notify/Notify.svelte
+++ b/frontend/src/lib/notify/Notify.svelte
@@ -14,7 +14,7 @@
         <BadgeButton on:click={removeAllNotifications}>{$t('notify.close_all')}<span class="ml-2">✕</span></BadgeButton>
       </div>
     {/if}
-    {#each $notifications as note}
+    {#each $notifications as note (note)}
       <div class="alert {note.category ?? ''}" in:slide out:blur>
         {note.message}
         <button on:click={() => removeNotification(note)} class="btn btn-circle btn-sm btn-ghost">✕</button>
diff --git a/frontend/src/routes/(authenticated)/admin/+page.svelte b/frontend/src/routes/(authenticated)/admin/+page.svelte
index f01d5f5fe..59df52d22 100644
--- a/frontend/src/routes/(authenticated)/admin/+page.svelte
+++ b/frontend/src/routes/(authenticated)/admin/+page.svelte
@@ -24,6 +24,7 @@
   import { createGuestUserByAdmin, type LexAuthUser } from '$lib/user';
   import CreateUserModal from '$lib/components/Users/CreateUserModal.svelte';
   import type { Confidentiality } from '$lib/components/Projects';
+  import { browser } from '$app/environment';
 
   export let data: PageData;
   $: projects = data.projects;
@@ -114,7 +115,7 @@
 <main>
   <div class="grid grid-cols-2 admin-tabs:grid-cols-1 gap-10">
     <div class="contents" class:admin-tabs:hidden={tab === 'users'}>
-    <AdminProjects projects={$projects} draftProjects={$draftProjects} {queryParams} />
+      <AdminProjects projects={$projects} draftProjects={$draftProjects} {queryParams} />
     </div>
 
     <div class:admin-tabs:hidden={tab !== 'users'}>
@@ -132,13 +133,14 @@
               </Badge>
             </div>
           </div>
-          <button class="btn btn-sm btn-success max-xs:btn-square"
+          <!-- svelte-ignore a11y-no-static-element-interactions -->
+          <svelte:element this={browser ? 'button' : 'div'} class="btn btn-sm btn-success max-xs:btn-square"
             on:click={() => createUserModal.open()}>
             <span class="admin-tabs:hidden">
               {$t('admin_dashboard.create_user_modal.create_user')}
             </span>
             <span class="i-mdi-plus text-2xl" />
-          </button>
+          </svelte:element>
         </div>
       </AdminTabs>
       <div class="mt-4">
@@ -199,6 +201,8 @@
                 <td class="hidden @2xl:table-cell">
                   {#if user.username}
                     {user.username}
+                  {:else}
+                    –
                   {/if}
                 </td>
                 <td>
diff --git a/frontend/src/routes/(authenticated)/project/[project_code]/+page.svelte b/frontend/src/routes/(authenticated)/project/[project_code]/+page.svelte
index 6e9b6df43..deefdcc76 100644
--- a/frontend/src/routes/(authenticated)/project/[project_code]/+page.svelte
+++ b/frontend/src/routes/(authenticated)/project/[project_code]/+page.svelte
@@ -235,7 +235,7 @@
     <svelte:fragment slot="actions">
       {#if project.type === ProjectType.FlEx && $isDev}
         {#if project.isLanguageForgeProject}
-          <a href="./{project.code}/viewer" class="btn btn-neutral text-[#DCA54C] flex items-center gap-2">
+          <a href="./{project.code}/viewer" target="_blank" class="btn btn-neutral text-[#DCA54C] flex items-center gap-2">
             {$t('project_page.open_with_viewer')}
             <span class="i-mdi-dictionary text-2xl" />
           </a>
diff --git a/frontend/viewer/src/WebComponent.svelte b/frontend/viewer/src/WebComponent.svelte
index 23c112b4b..44a05a6ca 100644
--- a/frontend/viewer/src/WebComponent.svelte
+++ b/frontend/viewer/src/WebComponent.svelte
@@ -13,6 +13,8 @@
 
     const abortController = new AbortController();
     window.addEventListener('popstate', () => {
+      if (!location.hash) return;
+
       const hashTarget = shadowRoot.querySelector(location.hash);
       if (hashTarget) {
         hashTarget.scrollIntoView({