diff --git a/src/main/kotlin/de/grimsi/gameyfin/config/SecurityConfig.kt b/src/main/kotlin/de/grimsi/gameyfin/config/SecurityConfig.kt
index ecb6d41..c4c25a9 100644
--- a/src/main/kotlin/de/grimsi/gameyfin/config/SecurityConfig.kt
+++ b/src/main/kotlin/de/grimsi/gameyfin/config/SecurityConfig.kt
@@ -20,7 +20,8 @@ class SecurityConfig : VaadinWebSecurity() {
     override fun configure(http: HttpSecurity) {
         // Configure your static resources with public access before calling super.configure(HttpSecurity) as it adds final anyRequest matcher
         http.authorizeHttpRequests { auth: AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry ->
-            auth.requestMatchers(AntPathRequestMatcher("/public/**")).permitAll()
+            auth.requestMatchers("/setup").permitAll()
+                .requestMatchers("/public/**").permitAll()
         }
 
         super.configure(http)
diff --git a/src/main/kotlin/de/grimsi/gameyfin/setup/SetupDataLoader.kt b/src/main/kotlin/de/grimsi/gameyfin/setup/SetupDataLoader.kt
index f6aa22d..831b744 100644
--- a/src/main/kotlin/de/grimsi/gameyfin/setup/SetupDataLoader.kt
+++ b/src/main/kotlin/de/grimsi/gameyfin/setup/SetupDataLoader.kt
@@ -26,7 +26,7 @@ class SetupDataLoader(
         log.info { "We will now set up some data..." }
 
         setupRoles()
-        setupUsers()
+        //setupUsers()
 
         log.info { "Setup completed..." }
     }
@@ -45,7 +45,7 @@ class SetupDataLoader(
             password = "user",
             roles = listOf(roleRepository.findByRolename(Roles.USER.roleName)!!)
         )
-        
+
         userService.registerUser(user)
     }
 
diff --git a/src/main/kotlin/de/grimsi/gameyfin/setup/SetupFilter.kt b/src/main/kotlin/de/grimsi/gameyfin/setup/SetupFilter.kt
index f2945d8..64cab06 100644
--- a/src/main/kotlin/de/grimsi/gameyfin/setup/SetupFilter.kt
+++ b/src/main/kotlin/de/grimsi/gameyfin/setup/SetupFilter.kt
@@ -4,7 +4,6 @@ import jakarta.servlet.*
 import jakarta.servlet.http.HttpServletRequest
 import jakarta.servlet.http.HttpServletResponse
 import org.springframework.core.annotation.Order
-import org.springframework.http.HttpStatus
 import org.springframework.stereotype.Component
 import java.io.IOException
 
@@ -20,14 +19,24 @@ class SetupFilter(
         val req = servletRequest as HttpServletRequest
         val res = servletResponse as HttpServletResponse
 
-        val isSetupUri = req.requestURI.contains("/v1/setup")
+        val isSetupUri = req.requestURI.startsWith("/setup")
+        val isLoginUri = req.requestURI.startsWith("/login")
 
-        if (setupService.isSetupCompleted() && !isSetupUri ||
-            !setupService.isSetupCompleted() && isSetupUri
-        ) {
+        // Skip this filter if the urls don't match
+        if (!(isSetupUri || isLoginUri)) {
             filterChain.doFilter(req, res)
-        } else {
-            res.status = HttpStatus.FORBIDDEN.value()
+            return
         }
+
+        val isSetupComplete = setupService.isSetupCompleted()
+
+        if (isSetupUri && isSetupComplete) {
+            res.sendRedirect("/login")
+        } else if (isLoginUri && !isSetupComplete) {
+            res.sendRedirect("/setup")
+        }
+
+        // took me longer than I want to admit to realize you always need to call doFilter() at the end
+        filterChain.doFilter(req, res)
     }
 }
\ No newline at end of file