From 603f444c33150df94c126e87c12d66511ae45365 Mon Sep 17 00:00:00 2001
From: Gronod <gordon@i3omb.com>
Date: Tue, 19 May 2026 19:06:31 +0100
Subject: [PATCH 1/2] fix(webhooks): mount webhook routes in index.js before
 verifyCsrf

Webhook routes were only registered in app.js (the test factory) but
not in index.js (the production entry point). POST /api/webhook/*
was therefore falling through to the verifyCsrf middleware and being
rejected with 403 in production.
---
 server/index.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/index.js b/server/index.js
index 9de9820..fa25c03 100644
--- a/server/index.js
+++ b/server/index.js
@@ -84,6 +84,7 @@ const embyRoutes = require('./routes/emby');
 const dashboardRoutes = require('./routes/dashboard');
 const historyRoutes = require('./routes/history');
 const authRoutes = require('./routes/auth');
+const webhookRoutes = require('./routes/webhook');
 const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
 const { validateInstanceUrl } = require('./utils/config');
@@ -252,6 +253,7 @@ function serveIndex(req, res) {
 // ---------------------------------------------------------------------------
 app.use('/api', apiLimiter);
 app.use('/api/auth', authRoutes);
+app.use('/api/webhook', webhookRoutes);
 
 // All routes below this point require CSRF validation on mutating methods
 app.use('/api', verifyCsrf);

From eeab314a0842298e44a3c89bae45966719282fce Mon Sep 17 00:00:00 2001
From: Gronod <gordon@i3omb.com>
Date: Tue, 19 May 2026 19:07:05 +0100
Subject: [PATCH 2/2] chore: bump version to 1.5.1

---
 CHANGELOG.md | 8 ++++++++
 package.json | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 63a20dc..f5bfe0f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ---
 
+## [1.5.1] - 2026-05-19
+
+### Fixed
+
+- **Webhook endpoints not reachable in production** — `server/index.js` (the production entry point) was missing the `webhookRoutes` import and mount. Only `server/app.js` (the test factory) had the routes registered. As a result every `POST /api/webhook/*` request in a running container fell through to the `verifyCsrf` middleware and was rejected with `403 CSRF token missing`. Added `app.use('/api/webhook', webhookRoutes)` in `index.js` immediately after `authRoutes` and before `verifyCsrf`, matching the order in `app.js`.
+
+---
+
 ## [1.5.0a] - 2026-05-19
 
 ### Fixed
diff --git a/package.json b/package.json
index aeea999..b2f38f5 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sofarr",
-  "version": "1.5.0a",
+  "version": "1.5.1",
   "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
   "main": "server/index.js",
   "scripts": {