"NetworkError when attempting to fetch resource." from auth when behind pangolin's SSO

[s0up4200]

Discussed in #1034

^{Originally posted by fg11a January 1, 2026}
I'm having a bit of an issue with having qui behind pangolin's sso. I have 20+ other services behind pangolin's sso without issue.

• If I disable pangolin's sso for qui everything works fine and I can log in past qui's auth
• if it's enabled and cookies/site data in firefox are cleared, it works
• if it's enabled but past cookies/site data are there, I usually get the screenshot below when trying to authenticate. In firefox's dev tools I see

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://pangolin.domain.com/auth/resource/54cxa163-9f29-41ef-ac91-7c20e11s8583?redirect=https%3A%2F%2Fqui.domain.com%2Fapi%2Flicense%2Flicensed. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400.

Qui version: 1.11.0
Firefox for macos: 146.0.1

My pangolin setup is very vanilla: running pangolin 1.14.1 (with traefik 3.3.3) with a couple of servers linked. Nothing appears in traefik or pangolin logs during the above and I have no other rules for this resource (resp. domain) in pangolin (resp. traefik's dynamic/static) config.

[nitrobass24]

I have this same issue with Cloudflare Access/Tunnel. Seems after the the initial session cookie expires, Qui is trying to load resources but is never redirected to CF for re-authentication. Happy to run some test to help out here.

Autobrr runs perfectly in my setup, FWIW.

[fg11a]

Seems to work for me, thanks!