Fix Seerr session cookie detection, build.ps1 manifest array bug, and…#184
Open
Ryuiku wants to merge 1 commit into
Open
Fix Seerr session cookie detection, build.ps1 manifest array bug, and…#184Ryuiku wants to merge 1 commit into
Ryuiku wants to merge 1 commit into
Conversation
… meta.json generation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DISCLAIMER: i used claude for this, i am not experienced in coding at all
however, i tested the final product and it resolved my issue.
Three fixes: Seerr session cookie detection, a
build.ps1manifest corruption bug, and missingmeta.jsongeneration inbuild.ps1This PR bundles three related fixes found while debugging a failed Seerr SSO
link on a self-hosted deployment, then building from source to verify the
fix end-to-end. Each is independent and could be split into separate PRs if
you'd prefer — let me know.
build.ps1corruptsmanifest.jsonwhen there's exactly one plugin entrybuild.ps1never generatesmeta.json, breaking clean manual installs1. Seerr SSO fails with "No session cookie received from Seerr" on deployments that rename the session cookie
Summary
SeerrSessionService.ReadSessionCookie()hardcodes the expected session cookiename as
connect.sid. That's the default name Express'sexpress-sessionmiddleware uses, and it's what Jellyseerr/Overseerr ship with — but a Seerr
instance can be configured (or forked/rebranded) to issue its session cookie
under a different name. When that happens, Moonfin never recognizes the
cookie, discards it, and the link flow fails with:
even though the auth request itself succeeded.
Reproduction
Environment: Seerr and Jellyfin/Moonfin both running as Docker containers on
the same host, talking over the internal Docker network via HTTP (no reverse
proxy involved).
No session cookie received from Seerr for user "USER".Found matching Jellyfin user; updating user with Jellyfin.the user.
(confirming connectivity + the auth call itself are both working).
Manually curling the auth endpoint reproduces it directly:
Response headers include:
The session cookie is named
sb.sid, notconnect.sid. (In this casesbreflects the deployment's own branding/tooling prefix — the exact prefixwill vary by deployment, which is the point: it isn't safe to assume the
cookie is always named
connect.sid.)Because
ReadSessionCookie()only looks for a cookie literally namedconnect.sid, it silently ignores thesb.sidcookie Seerr returns, and thelink flow reports no session cookie was received — even though one was.
Root cause
In
SeerrSessionService.cs:The cookie name
connect.sidis hardcoded in two more places as well(re-adding the stored cookie to the
CookieContainerbefore replaying it on/api/v1/auth/mevalidation calls and on proxied requests), so even patchingdetection alone wouldn't be enough — the stored session also needs to
remember which cookie name to send back.
Proposed fix
Attached is a patch (
SeerrSessionService.patch, unified diff) with thefollowing changes:
ReadSessionCookie()no longerassumes a name. It treats any
Set-Cookieentry that isn't a knownSeerr CSRF cookie (
XSRF-TOKEN,_csrf) as the session cookie, andreturns both its name and value.
SeerrSessiongets a newSessionCookieNamefield (defaulting toconnect.sidso existing storedsessions on disk keep deserializing and working without a migration).
validation (
/api/v1/auth/me) and the general Seerr proxy path bothconstruct their
Cookieusingsession.SessionCookieNameinstead of ahardcoded string.
CheckForRotatedCookieAsync, in case a deployment ever changes itmid-session (unlikely, but cheap to handle correctly).
This makes Moonfin resilient to any Seerr deployment that issues its session
cookie under a non-default name, without needing to special-case
sb.sidspecifically — the fix generalizes to any name.
2.
build.ps1corruptsmanifest.jsonwhen there's exactly one plugin entrySymptom
Running
build.ps1against amanifest.jsoncontaining a single pluginentry (i.e. before any releases exist yet, or after manually resetting to
one entry) throws:
If
manifest.jsonalready has multiple historical version entries in asingle plugin object, this doesn't reproduce — which is likely why it went
unnoticed.
Root cause
When the top-level JSON array has exactly one element, PowerShell's pipeline
enumeration unwraps it:
$Manifestends up as the bare plugin object ratherthan a one-item array.
$Manifest[0]still "works" here (indexing a scalarwith
[0]in PowerShell returns the scalar itself), so the read/modify stepdoesn't fail.
The corruption happens on write:
Serializing that not-quite-array value produces
{"value": [...], "Count": 1}instead of a plain[...]array — a knownConvertTo-Jsonartifact when it's handed something that isn't a genuinenative array. That gets written back to
manifest.json, permanentlycorrupting it for every subsequent run, since the next run's
$Manifest[0].versionsnow resolves to$null(the wrapper object has noversionsproperty), and indexing$null[0]throws the error above.Fix
$Manifestinto a real array immediately after parsing:$Manifest = @($Manifest), so behavior is identical regardless of entrycount.
ConvertTo-Json -AsArrayisn't available, since that parameter requiresPowerShell 6+):
3.
build.ps1never generatesmeta.jsonSymptom
Jellyfin requires a
meta.jsonin every plugin's install directory —it's used to identify the plugin (guid/name/version) and to allowlist which
DLLs are permitted to load (
PluginManagercross-references a manifestassemblieslist against what's physically present in the folder). If it'smissing, Jellyfin falls back to a synthetic manifest built from the folder
name, with no declared version or assembly allowlist.
build.ps1currently packages the compiled DLL and bundled frontend intothe release zip, but never writes a
meta.jsoninto it. This doesn't showup when updating an existing install (the previously-installed
meta.jsonis just left in place), but breaks a clean manual install into an empty
plugin folder — e.g. exactly the workflow this repo's README documents
under "Building from Source."
Fix
build.ps1now generatesmeta.jsonautomatically before zipping, sourcingthe plugin's identity fields (
guid,name,description,overview,owner,category) directly frommanifest.jsonrather than duplicatingthem as a second hardcoded copy that could drift out of sync over time. The
current version's
changelogis also pulled frommanifest.json'sversions[0].changelog, and both files now share one$Timestampvaluecomputed once, so they're stamped identically for a given build.
If
manifest.jsonis missing, the script prints a warning and continuesrather than failing outright, since not every checkout will have one.
Files changed
SeerrSessionService.cs— fix 1build.ps1— fixes 2 and 3Happy to split these into separate PRs if that's preferred, or answer
questions about any of the three. All three were verified against a live
Jellyfin + Seerr Docker deployment, including a full from-source build on
Windows following the README's documented build steps.