From 7656e84c205b08b64ecc184e4a139473499094a7 Mon Sep 17 00:00:00 2001
From: libussa <libussa@users.noreply.github.com>
Date: Mon, 16 Feb 2026 21:44:29 +0100
Subject: [PATCH] fix stale SERVER_URL when changing env var in Docker (#1714)

settings.js (which injects SERVER_URL into the browser) was served
without Cache-Control headers, causing Cloudflare and other reverse
proxies to cache the old value indefinitely. Additionally, when
SERVER_LOCK is enabled, the persisted server URL in localStorage was
never compared against the current window.SERVER_URL, so same-browser
sessions kept using the old server even after settings.js was updated.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 ng.conf.template                   |  2 ++
 src/renderer/router/app-outlet.tsx | 21 +++++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/ng.conf.template b/ng.conf.template
index f14bb7099..3e766769b 100644
--- a/ng.conf.template
+++ b/ng.conf.template
@@ -20,9 +20,11 @@ server {
 
   location ${PUBLIC_PATH}settings.js {
     alias /etc/nginx/conf.d/settings.js;
+    add_header Cache-Control "no-store";
   }
 
   location ${PUBLIC_PATH}/settings.js {
     alias /etc/nginx/conf.d/settings.js;
+    add_header Cache-Control "no-store";
   }
 }
diff --git a/src/renderer/router/app-outlet.tsx b/src/renderer/router/app-outlet.tsx
index 6efb71d37..5565173db 100644
--- a/src/renderer/router/app-outlet.tsx
+++ b/src/renderer/router/app-outlet.tsx
@@ -1,20 +1,37 @@
 import { useMemo } from 'react';
 import { Navigate, Outlet } from 'react-router';
 
+import { isServerLock } from '/@/renderer/features/action-required/utils/window-properties';
 import { AppRoute } from '/@/renderer/router/routes';
-import { useCurrentServer } from '/@/renderer/store';
+import { useAuthStoreActions, useCurrentServer } from '/@/renderer/store';
+
+const normalizeUrl = (url: string) => url.replace(/\/$/, '');
 
 export const AppOutlet = () => {
     const currentServer = useCurrentServer();
+    const { deleteServer, setCurrentServer } = useAuthStoreActions();
 
     const isActionsRequired = useMemo(() => {
+        // When SERVER_LOCK is enabled and the configured URL has changed,
+        // clear the stale session so the user re-authenticates against the new server.
+        if (isServerLock() && currentServer && window.SERVER_URL) {
+            const configuredUrl = normalizeUrl(window.SERVER_URL);
+            const persistedUrl = normalizeUrl(currentServer.url);
+
+            if (configuredUrl !== persistedUrl) {
+                deleteServer(currentServer.id);
+                setCurrentServer(null);
+                return true;
+            }
+        }
+
         const isServerRequired = !currentServer;
 
         const actions = [isServerRequired];
         const isActionRequired = actions.some((c) => c);
 
         return isActionRequired;
-    }, [currentServer]);
+    }, [currentServer, deleteServer, setCurrentServer]);
 
     if (isActionsRequired) {
         return <Navigate replace to={AppRoute.ACTION_REQUIRED} />;