Authentification error Jellyseerr iFrame in Jellyfin

[ThomasVicot]

Description

Hello everyone,

I have my jellyfin server and my jellyseerr server accessible via a different dynamic dns (noIP) in https behind an Apache reverse proxy.

I've integrated jellyseerr as an iframe instead of the trailer tab.

I can see the login page but I can't connect, error 401 unauthorized, I've tried lots of solutions without success. When I access https://JELLYSEERR.ddns.net directly, I can connect without any problem. I was able to figure out that the problem was due to cookies and probably to the sharing of cookies between domains without resolving the problem.

I've tested the connection via API with X-Api-Key, everything works but the connection is auto on the Owner account, not usable as I'm sharing the server with my family/friends. I haven't managed to configure the connection on an account other than the owner.

I also have a configuration with the same config that works perfectly with Ombi in iframe on jellyfin in https.

Do you have any ideas on how to enable authentication? Or (perhaps the best) keep the API connection but be able to choose auto connection to another account (without admin rights)?
J'ai essayé énormément de choses sans succès je commence à sécher

Thanks

Version

1.6.0

Steps to Reproduce

Authentification in iframe

Screenshots

No response

Logs

No response

Platform

desktop

Device

PC

Operating System

Debian

Browser

Chrome, Safari, Edge, Firefox

Additional Context

No response

Code of Conduct

• I agree to follow Overseerr's Code of Conduct

[sundermann]

This is caused by the sameSite cookie setting. If you change https://github.com/Fallenbagel/jellyseerr/blob/develop/server/index.ts#L165 to false requests inside an iframe from another domain should work. Keep in mind that this completely disables CSRF protection.

Here's a patched jellyfin-web that additionally renders custom menulinks as iframe allowing easy integration with Jellyseerr

[Ruakij]

Wops.. sorry for that spam

[ThomasVicot]

Hello @sundermann
I did try changing the argument to something like :
sameSite: settings.main.csrfProtection ? 'strict' : 'lax', to samesite: false,

I still can't connect.
Have I made a mistake?

Hi @Ruakij no problem for spam

Thank you

[Ruakij]

Hello @sundermann I did try changing the argument to something like : sameSite: settings.main.csrfProtection ? 'strict' : 'lax', to samesite: false,

You need to set it to 'none' otherwise its left unset and a modern browser will automatically either assume 'lax' (in case of chrome) or 'none' (in case of firefox).

And even though 'lax' sounds nice, it actually only allows a few edge-cases blocked by 'strict' (like after being redirected from another site, even if you clicked the link yourselr)
It is unfortunate there isnt an option to specify which origins a cookie is allowed from.

Feel free to simply cherry-pick my commit, i fixed a thing, but now it should work nicely.

[ThomasVicot]

Thanks for your feedback
I tried ‘none’ too, without success.
When I try to connect through the iframe I always get error 401 related to connect.sid

I have also tried to host Jellyfin and Jellyseerr on the same server (192.168.1.1:50**) without success.