Remote functions: Prefetching prematurely tiggers redirect, disabling it subsequently

[andreasputlitz]

Describe the bug

It seems to me that prefetching is breaking the redirects I am using, when my user isn't logged in but should be.

Basically what happens is that when I hover over the link, it seems that the remote function is immediately triggered by the prefetch, and the redirect fires. You can see it in the address bar, which shows the address the redirect points to.

Thing is, I haven't clicked yet. When I now click on the link, the redirect is already "spent", and I end up on the page that I wanted to protect. Only if I now fully reload the page, I am redirected.

When I disable prefetching on that link, it works as intended.

Reproduction

component.svelte:

<script>
import { call  } from './fetch.remote'
</script>

await call()

---

fetch.remote.js:

export const call = query(async () =>
{
   redirect(307, '/some-other-route')
})

Logs

System Info

System:
    OS: Linux 6.6 Ubuntu 24.04.3 LTS 24.04.3 LTS (Noble Numbat)
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
    Memory: 10.78 GB / 15.48 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 24.8.0 - /home/andreas/.nvm/versions/node/v24.8.0/bin/node
    npm: 11.6.2 - /home/andreas/.nvm/versions/node/v24.8.0/bin/npm
  Browsers:
    Chrome: 141.0.7390.107
  npmPackages:
    @sveltejs/adapter-auto: ^7.0.0 => 7.0.0 
    @sveltejs/kit: ^2.47.1 => 2.48.5 
    @sveltejs/vite-plugin-svelte: ^6.2.1 => 6.2.1 
    svelte: ^5.41.0 => 5.43.7 
    vite: ^7.1.10 => 7.2.2

Severity

serious, but I can work around it

Additional Information

No response

[sillvva]

Can you reproduce the issue here?

https://stackblitz.com/edit/sveltejs-kit-template-default-gqwbrpvy?file=package.json,src%2Froutes%2Ftest.remote.ts,src%2Froutes%2Fprotected%2F%2Bpage.svelte,src%2Froutes%2F%2Bpage.svelte

[andreasputlitz]

@sillvva Yes, sort of. I starts happening when you redirect to another route that to the one you are already on (e.g. root in the example).

I added an /auth route. When you hover over the link, the /auth route appears in the address bar. But when you click, the /protected route shows up. No navigation does happen here though. When you hit refresh, you end up on the auth route.

The difference here to my project is, that in my project, it actually even navigates to the protected route, but I do have a +layout.svelte in there too, this might be the reason. In both cases however the redirect is reflected prematurly in the address bar, but then doesn't fire anymore when you actually click the link it is supposed to protect.

Do you see what I mean?

https://stackblitz.com/edit/sveltejs-kit-template-default-n8fxfcrb?file=src%2Froutes%2Ftest.remote.ts

[sillvva]

Yep! I see what you're referring to.

Before hovering: On home page

After hovering: URL (incorrectly) changes to /auth before clicking

After clicking: URL (incorrectly) changes to /protected. We should be redirected to /auth, but are not.

After refreshing: We (correctly) end up on /auth

[sillvva]

Might be another fork issue in svelte@5.42.0. Issue exists there, and downgrading to 5.41.4 fixes the issue.

[andreasputlitz]

Ah, good know, thanks. I'll try that for now then.

[andreasputlitz]

Rolled back to "svelte": "5.41.4" locally and can confirm that downgrading fixed the issue also locally for me.

[sillvva]

After updating to @sveltejs/kit@2.48.6, the page redirects to /auth on hover, before even clicking the link. I think that is also incorrect behavior. It should wait until the link is clicked.

@dummdidumm you had made a fork change in 2.48.6. I think that might be the cause. It is not happening in 2.48.5. The above issue is related to svelte though.

https://stackblitz.com/edit/sveltejs-kit-template-default-kpafr7xr?file=package.json