From e26662597a4e0f7dfb74e0e46cf58efdeb486a85 Mon Sep 17 00:00:00 2001
From: Joey Yakimowich-Payne <jyapayne@pm.me>
Date: Thu, 15 Jan 2026 21:29:57 -0700
Subject: [PATCH] Caddy

---
 Caddyfile.example     | 25 ++++++++++++++++++++-----
 scripts/setup-prod.sh | 25 ++++++++++++++++++++-----
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/Caddyfile.example b/Caddyfile.example
index a0d44bb..182e06c 100644
--- a/Caddyfile.example
+++ b/Caddyfile.example
@@ -16,11 +16,26 @@ kaboot.example.com {
 }
 
 auth.example.com {
-    reverse_proxy authentik-server:9000 {
-        header_up X-Forwarded-Proto {scheme}
-        header_up X-Forwarded-Host {host}
-        transport http {
-            keepalive 30s
+    @oidc path /application/o/*
+    
+    handle @oidc {
+        reverse_proxy authentik-server:9000 {
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Host {host}
+            header_down -Access-Control-Allow-Origin
+        }
+        header Access-Control-Allow-Origin "https://kaboot.example.com"
+        header Access-Control-Allow-Methods "GET, POST, OPTIONS"
+        header Access-Control-Allow-Headers "Content-Type, Authorization"
+    }
+    
+    handle {
+        reverse_proxy authentik-server:9000 {
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Host {host}
+            transport http {
+                keepalive 30s
+            }
         }
     }
 }
diff --git a/scripts/setup-prod.sh b/scripts/setup-prod.sh
index 924a832..1910756 100755
--- a/scripts/setup-prod.sh
+++ b/scripts/setup-prod.sh
@@ -183,11 +183,26 @@ ${KABOOT_DOMAIN} {
 }
 
 ${AUTH_DOMAIN} {
-    reverse_proxy authentik-server:9000 {
-        header_up X-Forwarded-Proto {scheme}
-        header_up X-Forwarded-Host {host}
-        transport http {
-            keepalive 30s
+    @oidc path /application/o/*
+    
+    handle @oidc {
+        reverse_proxy authentik-server:9000 {
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Host {host}
+            header_down -Access-Control-Allow-Origin
+        }
+        header Access-Control-Allow-Origin "https://${KABOOT_DOMAIN}"
+        header Access-Control-Allow-Methods "GET, POST, OPTIONS"
+        header Access-Control-Allow-Headers "Content-Type, Authorization"
+    }
+    
+    handle {
+        reverse_proxy authentik-server:9000 {
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Host {host}
+            transport http {
+                keepalive 30s
+            }
         }
     }
 }