@Patrick, I can confirm that this is a bug. I was able to manually type in the route for login and forbidden and save the server action to make it work.
I did apply the fix discussed in Cannot set headers after they are sent to the client just in case it was related but it did not resolve this issue.