fix/feat: webhook reliability, Jellyfin Content-Type fix, Seerr rebrand#79
Merged
retardgerman merged 10 commits intomainfrom Mar 16, 2026
Merged
fix/feat: webhook reliability, Jellyfin Content-Type fix, Seerr rebrand#79retardgerman merged 10 commits intomainfrom
retardgerman merged 10 commits intomainfrom
Conversation
…uests (H5) Webhook reliability fixes: - Clean up sentNotifications temp marker (-1) on debounce error so a failed Discord send doesn't silently block the series for 24 hours - Reduce temp marker cleanup timeout from 24h to 5min so orphaned markers are cleared quickly without blocking subsequent webhooks - Guard against empty channelId before hitting Discord API — logs a clear config error instead of a cryptic API failure - Include ItemType and Name in webhook error/warning logs for easier debugging without having to parse the raw payload H5 — Persist pendingRequests to disk: - Add savePendingRequests() / loadPendingRequests() helpers writing pending-requests.json next to config.json (mode 0600) - Call savePendingRequests() after every write (3 interaction sites) - Call onPendingRequestsChanged() callback in handleJellyfinWebhook after deleting a fulfilled request so the file stays in sync - Call loadPendingRequests() on bot startup so DM notifications for in-flight requests survive service restarts
- Rename api/jellyseerr.js to api/seerr.js - Rename all JELLYSEERR_* config keys to SEERR_* (URL, API_KEY, AUTO_APPROVE) - Rename jellyseerr* user mapping keys to seerr* (UserId, Username, DisplayName) - Update all variable names, function names, i18n keys, DOM IDs, CSS, docs - Add startup auto-migration for old JELLYSEERR_* keys and USER_MAPPINGS - Update repo link to https://github.com/seerr-team/seerr in README and docs - Third-party API paths (/api/v1/*) left unchanged — server-side paths unaffected
retardgerman
changed the title
…ilures - Lock account for 10 minutes after 5 consecutive failed login attempts - Add progressive response delay (300ms * attempt count, capped at 4s) to slow brute-force - Log failed attempts and lockouts with username and source IP - Clear failure counter on successful login - Always run bcrypt compare even for unknown usernames to prevent user enumeration via timing - Existing IP-based rate limit (20 req/15min) remains in place as a first layer
- Escape discordUserId with escapeHtml() in displayMappings() onclick attribute - Restrict discordUserId validation to Discord snowflake format (17-19 digits) - Restrict seerrUserId to numeric strings only Fixes stored XSS where an attacker with dashboard access could inject arbitrary JS into the user-mapping Remove button, executing in any admin's browser context on page load.
…h, duplicate fetch - auth.js: cancel previous cleanup timer before scheduling new one in recordFailure so a single username under attack doesn't accumulate unbounded setTimeout handles - auth.js: return new entry from recordFailure to eliminate second Map.get call in the login handler immediately after the write - app.js: /api/webhook-secret now returns in-memory WEBHOOK_SECRET instead of calling readConfig() on every request - web/script.js: copy-secret button reads from the already-populated input field instead of making a second fetch to /api/webhook-secret
Add [1.4.3] entry covering: Seerr rebrand (JELLYSEERR_* → SEERR_* with auto-migration), login brute-force protections (ref #80), XSS fix on discordUserId onclick, Jellyfin Content-Type fix, webhook debounce error cleanup, empty channel guard, pending requests persistence, and associated refactors.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Webhook reliability fixes
Persist pending DM requests across restarts
savePendingRequests()/loadPendingRequests()helpers writingpending-requests.jsonnext toconfig.json/requestnow still receive their DM notification even if the bot was restartedJellyfin webhook Content-Type fix
express.json()was silently rejecting Jellyfin webhook bodies because Jellyfin sendsContent-Type: text/plain— changed toexpress.json({ type: "*/*" })to accept any content typeSeerr rebrand (Jellyseerr → Seerr)
api/jellyseerr.js→api/seerr.jsJELLYSEERR_*config keys toSEERR_*(URL,API_KEY,AUTO_APPROVE)jellyseerr*user mapping keys toseerr*(UserId,Username,DisplayName)config.jsonandUSER_MAPPINGSwith old keys are silently upgraded on first boot/api/v1/*) left unchanged — server-side paths are unaffectedLogin brute-force protections (ref #80)