From 154658f5d73de59ccc1aba0cda2454e189ee8dc1 Mon Sep 17 00:00:00 2001
From: SamoilenkoVadym <samoylenko.vadym@gmail.comm>
Date: Mon, 9 Feb 2026 21:46:11 +0000
Subject: [PATCH] Fix MSAL redirectUri to match Azure AD registration

redirectUri = https://ai-sandbox.oliver.solutions/solventum-image-metadata/
(app root, not /login or /auth/callback)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .env.example         | 6 +++---
 templates/login.html | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.env.example b/.env.example
index 06842cd..ef2fd78 100644
--- a/.env.example
+++ b/.env.example
@@ -12,9 +12,9 @@ ROOT_PATH=/solventum-image-metadata
 # === Azure AD / SSO ===
 AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
 AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef
-AZURE_CLIENT_SECRET=YOUR_AZURE_CLIENT_SECRET_HERE
-# Must match Azure AD App Registration > Authentication > Redirect URIs exactly
-REDIRECT_URI=https://ai-sandbox.oliver.solutions/solventum-image-metadata/auth/callback
+# AZURE_CLIENT_SECRET is not needed (client-side MSAL.js flow)
+# Must match Azure AD App Registration > Authentication > SPA Redirect URIs exactly
+REDIRECT_URI=https://ai-sandbox.oliver.solutions/solventum-image-metadata/
 
 # === OpenAI (optional — for AI metadata generation) ===
 OPENAI_API_KEY=
diff --git a/templates/login.html b/templates/login.html
index a274d70..6f79ea9 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -316,7 +316,7 @@
                     auth: {
                         clientId: "{{ azure_client_id }}",
                         authority: "https://login.microsoftonline.com/{{ azure_tenant_id }}",
-                        redirectUri: window.location.origin + "{{ base }}/login",
+                        redirectUri: window.location.origin + "{{ base }}/",
                     },
                     cache: {
                         cacheLocation: "sessionStorage",