CSRF failures are not apparent to users

[holysoles]

Is there an existing issue for this?

• I have searched the existing issues

Is your issue described in the documentation?

• I have read the documentation

Is your issue present in the latest beta/pre-release?

This issue is present in the latest pre-release

Describe the Bug

PR #4645 introduced CSRF checks into the web interface. When a POST request is submitted to "save" a config change, there is no visual indication presented to the user that the request has failed.

Additionally, nothing is logged to the server-side log, even with verbose logging enabled.

Users must retry the web request with developer tools open, and review the logs for a 400 error that contains the detailed error message.

Expected Behavior

An error message (HTML or even browser window alert) should be presented to the user, especially since a "success" message is normally presented. Ideally this would contain the API error message, but even something more generic like "HTTP 400 error when submitting changes" would be helpful.

Additional Context

No response

Host Operating System

Linux

Operating System Version

Fedora 43

Architecture

amd64/x86_64

Package

Linux - Fedora Copr

GPU Type

AMD

GPU Model

N/A

GPU Driver/Mesa Version

N/A

Capture Method

None

Apps

Log output

Online logs

No response

[XT-Martinez]

so this is why PIN and config changes stopped working

[ReenigneArcher]

CSRF protection was added. You need to add your allowed hostnames to the new setting https://github.com/LizardByte/Sunshine/blob/master/docs/configuration.md#csrf_allowed_origins

[reloxx13]

CSRF protection was added. You need to add your allowed hostnames to the new setting https://github.com/LizardByte/Sunshine/blob/master/docs/configuration.md#csrf_allowed_origins
How to add if I cannot save the page?

Yes, by editing the config manually, but there is no info on the expected format — string, array, JSON? I don’t even know why it has CSRF protection; I call it via the host IP address with port in the browser, no proxy.

Are the defaults overridden or extended by the custom config? Is a restart required after manual editing of the config?

https://192.168.178.12:47990/config#

---

For others finding this:

• Use your IP.
• Add this line at the end of C:\Program Files\Sunshine\config\sunshine.conf:

csrf_allowed_origins = https://192.168.178.12

[ReenigneArcher]

Yes, by editing the config manually, but there is no info on the expected format — string, array, JSON?

The docs describe it.

https://docs.lizardbyte.dev/projects/sunshine/master/md_docs_2configuration.html#csrf_allowed_origins

I don’t even know why it has CSRF protection; I call it via the host IP address with port in the browser, no proxy.

It's a more proper fix for GHSA-39hj-fxvw-758m