diff --git a/CHANGELOG.md b/CHANGELOG.md index 63a20dc..f5bfe0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm --- +## [1.5.1] - 2026-05-19 + +### Fixed + +- **Webhook endpoints not reachable in production** — `server/index.js` (the production entry point) was missing the `webhookRoutes` import and mount. Only `server/app.js` (the test factory) had the routes registered. As a result every `POST /api/webhook/*` request in a running container fell through to the `verifyCsrf` middleware and was rejected with `403 CSRF token missing`. Added `app.use('/api/webhook', webhookRoutes)` in `index.js` immediately after `authRoutes` and before `verifyCsrf`, matching the order in `app.js`. + +--- + ## [1.5.0a] - 2026-05-19 ### Fixed diff --git a/package.json b/package.json index aeea999..b2f38f5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "sofarr", - "version": "1.5.0a", + "version": "1.5.1", "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish", "main": "server/index.js", "scripts": { diff --git a/server/index.js b/server/index.js index 9de9820..fa25c03 100644 --- a/server/index.js +++ b/server/index.js @@ -84,6 +84,7 @@ const embyRoutes = require('./routes/emby'); const dashboardRoutes = require('./routes/dashboard'); const historyRoutes = require('./routes/history'); const authRoutes = require('./routes/auth'); +const webhookRoutes = require('./routes/webhook'); const verifyCsrf = require('./middleware/verifyCsrf'); const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller'); const { validateInstanceUrl } = require('./utils/config'); @@ -252,6 +253,7 @@ function serveIndex(req, res) { // --------------------------------------------------------------------------- app.use('/api', apiLimiter); app.use('/api/auth', authRoutes); +app.use('/api/webhook', webhookRoutes); // All routes below this point require CSRF validation on mutating methods app.use('/api', verifyCsrf);