CSRF origin mismatch on every Save (regression in v0.8.5.1) #34
Description
Description
Sortarr was working normally for me until today. When I opened the UI, I was redirected to the Setup page and cannot get past it. Every attempt to save the Setup form fails with: {"error":"CSRF origin mismatch."}. This happens even when all required fields are filled (Basic Auth, session secret key, proxy mode, Sonarr/Radarr URLs, etc.). I cannot complete Setup and cannot access the app.
Steps to Reproduce
Start Sortarr v0.8.5.1 (fresh container or existing one that forces Setup)
Open the UI (reverse proxy URL or direct NAS IP)
Fill out:
Basic Auth username/password
Generate permanent session secret key
Proxy mode (Single proxy or Direct)
Sonarr/Radarr URLs + API keys
Click Save and continue
Sortarr responds with: {"error":"CSRF origin mismatch."}
Setup never completes.
Expected Behavior
Setup should save successfully and allow access to the main Sortarr UI.
Actual Behavior
Setup always fails with a CSRF error.
The app remains stuck on the Setup screen and cannot be used.
Environment
Sortarr version: v0.8.5.1
Deployment: Docker on Synology NAS
Access method: Reverse proxy (HTTPS) and direct NAS IP (HTTP)
Browser: Chrome + Firefox (same result)
Fresh container restart does not resolve it
Clearing cookies/cache does not resolve it
Happens even with:
Direct IP access
Proxy mode set to Direct
Fresh session secret
Fresh Basic Auth credentials
Additional Notes
This setup worked previously; the issue began suddenly today.
The error occurs before any connection tests run, so the failure is happening in the CSRF middleware during Setup.
It seems the CSRF cookie is not being set or accepted during the Setup flow, causing every POST to /setup to fail.
Request
Can you confirm whether this is a known regression in the v0.8.4+ CSRF/session rewrite?
And is there a recommended workaround (e.g., disabling secure cookies, forcing HTTP-only mode, or bypassing Setup)?