merge branch 'develop' into 'main' - Release v1.7.28

Only publish container images to git.i3omb.com registry.

.env.sample

@@ -35,6 +35,13 @@ SOFARR_WEBHOOK_SECRET=your-webhook-secret-here
 # Example: https://sofarr.example.com or https://192.168.1.100:3001
 SOFARR_BASE_URL=https://your-sofarr-url
 
+# Optional dedicated base URL for webhooks (e.g. for reverse proxies / docker networking)
+# If configured, webhook registration in Sonarr, Radarr, and Ombi will use this URL.
+# Useful if those services reside in the same local network/docker container setup and
+# cannot route to the public SOFARR_BASE_URL due to loopback/DNS restrictions (avoiding 503s).
+# Example: http://sofarr:3001 or http://192.168.1.50:3001
+# SOFARR_WEBHOOK_BASE_URL=http://sofarr:3001
+
 # --- Webhook Polling Optimization (Phase 5) ---
 
 # Minutes of silence after which the poller falls back to a full poll
@@ -162,6 +169,9 @@ RADARR_INSTANCES=[{"name":"main","url":"https://radarr.example.com","apiKey":"yo
 # =============================================================================
 OMBI_URL=https://ombi.example.com
 OMBI_API_KEY=your-ombi-api-key-here
+# Optional: Delay in milliseconds to wait before refreshing the cache after receiving an Ombi webhook
+# to resolve the race condition where Ombi fires the webhook before committing to its database.
+# OMBI_WEBHOOK_REFRESH_DELAY_MS=2000
 
 # =============================================================================
 # NOTES

.gitea/workflows/build-image.yml

@@ -6,6 +6,10 @@ on:
       - 'release/**'
       - 'develop*'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -23,23 +27,17 @@ jobs:
           if [[ "$BRANCH" == develop* ]]; then
             # Sanitise branch name for tag: replace slashes with dashes
             SAFE_BRANCH=$(echo "$BRANCH" | tr '/' '-')
-            TAGS="reg.i3omb.com/sofarr:${SAFE_BRANCH}"
-            TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:${SAFE_BRANCH}"
+            TAGS="git.i3omb.com/gandalf/sofarr:${SAFE_BRANCH}"
             echo "tags=${TAGS}" >> $GITHUB_OUTPUT
             echo "Building develop image tags: ${TAGS}"
           else
             RELEASE_NAME=${BRANCH#release/}
-            
-            # Primary registry tags
-            TAGS="reg.i3omb.com/sofarr:${VERSION}"
-            TAGS="${TAGS},reg.i3omb.com/sofarr:${RELEASE_NAME}"
-            TAGS="${TAGS},reg.i3omb.com/sofarr:latest"
-            
+
             # Gitea package registry tags
-            TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:${VERSION}"
+            TAGS="git.i3omb.com/gandalf/sofarr:${VERSION}"
             TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:${RELEASE_NAME}"
             TAGS="${TAGS},git.i3omb.com/gandalf/sofarr:latest"
-            
+
             echo "tags=${TAGS}" >> $GITHUB_OUTPUT
             echo "Building release image tags: ${TAGS}"
           fi

.gitea/workflows/ci.yml

@@ -2,9 +2,13 @@ name: CI
 
 on:
   push:
-    branches: ["**"]
+    branches: ["**", "!release/**"]
   pull_request:
-    branches: ["**"]
+    branches: ["**", "!release/**"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   audit:

.gitignore

@@ -11,4 +11,5 @@ data/
 *.db-wal
 *.db-shm
 .agents/
-.windsurf/
+.windsurf/
+scratch/

ARCHITECTURE.md

@@ -393,9 +393,9 @@ POST /api/webhook/ombi
 Both endpoints share identical processing logic:
 
 ```
-Sonarr/Radarr
+Sonarr/Radarr/Ombi
     POST /api/webhook/sonarr
-    Headers: X-Sofarr-Webhook-Secret: <secret>
+    Headers: X-Sofarr-Webhook-Secret: <secret> OR URL parameter: ?secret=<secret>
     Body:    { "eventType": "Grab", "instanceName": "Main Sonarr",
                "date": "2026-05-19T10:00:00.000Z", … }
         │
@@ -404,6 +404,7 @@ Sonarr/Radarr
         │
         ▼
     validateWebhookSecret()  ──fail──► 401 Unauthorized
+        (Checks header or query param)
         │ ok
         ▼
     validatePayload()        ──fail──► 400 Bad Request
@@ -1002,19 +1003,19 @@ sofarr provides a togglable, real-time log capturing and streaming engine allowi
 
 ```mermaid
 flowchart LR
-    subgraph Browser (SPA)
+    subgraph Browser ["Browser (SPA)"]
         console["console.log/warn/error"] --> queue["logQueue (batched)"]
         queue --> |POST /api/debug/client-logs| ingestionRoute["POST router handler"]
     end
 
-    subgraph Node.js (Server)
+    subgraph Server ["Node.js (Server)"]
         stdout["process.stdout.write"] --> capture["processStreamData()"]
         stderr["process.stderr.write"] --> capture
-        capture --> |stripAnsi()| serverBuffer["logBuffer (rolling 1000 lines)"]
-        capture --> |emit('server-log')| serverSse["GET /api/debug/server-logs (SSE)"]
+        capture --> |stripAnsi| serverBuffer["logBuffer (rolling 1000 lines)"]
+        capture --> |emit server-log| serverSse["GET /api/debug/server-logs (SSE)"]
 
         ingestionRoute --> clientBuffer["clientLogBuffer (rolling 1000 lines)"]
-        ingestionRoute --> |emit('client-log')| clientSse["GET /api/debug/client-logs (SSE)"]
+        ingestionRoute --> |emit client-log| clientSse["GET /api/debug/client-logs (SSE)"]
     end
 ```
 
@@ -1224,7 +1225,7 @@ Each instance receives an `id` derived from `name` (or index if unnamed), used a
 | Concern | Mechanism |
 |---------|-----------|
 | **Secret validation** | Every webhook request must carry `X-Sofarr-Webhook-Secret` matching `SOFARR_WEBHOOK_SECRET`. Absent or wrong secret → `401`. Webhook endpoints function outside the CSRF middleware (they are not browser-initiated). |
-| **Rate limiting** | Dedicated `webhookLimiter`: 60 req/min per IP (stricter than the general 300 req/15 min limiter). |
+| **Rate limiting** | Dedicated `webhookLimiter`: 60 req/min per IP (stricter than the general 300 req/15 min limiter). Bypassed in testing/dev via `SKIP_RATE_LIMIT=1`. |
 | **Payload validation** | `validatePayload()` enforces: JSON object body, `eventType` as a non-empty string ≤ 64 chars, `eventType` in the allowlist, `instanceName` as string if present. Rejects with `400` on any violation. |
 | **Replay protection** | `isReplay()` caches a composite key `{eventType}:{instanceName}:{date}` for 5 minutes. Duplicate events within that window are acknowledged with `200 { received: true, duplicate: true }` and not processed. |
 
@@ -1232,7 +1233,7 @@ Each instance receives an `id` derived from `name` (or index if unnamed), used a
 
 | Concern | Mechanism |
 |---------|-----------|
-| **Rate limiting** | 300 req/15 min general (all API routes); 10 failed attempts/15 min login limiter; 60 req/1 min webhook limiter. |
+| **Rate limiting** | General API limiter (300 req/15 min on `/api/*` prefix) exempts `/api/dashboard/cover-art` requests; Login limiter (10 attempts/15 min) employs `skipSuccessfulRequests: true` to count failed attempts only; Webhook limiter runs 60 req/1 min on `/api/webhook/*` endpoints; Root `/health` and `/ready` probes are entirely exempt. All limiters bypassable in testing via `SKIP_RATE_LIMIT=1` or `createApp({ skipRateLimits: true })`. |
 | **Secret leakage** | `sanitizeError()` (`server/utils/sanitizeError.js`) redacts secrets from error messages and logs: URL query-param secrets (`apikey=`, `token=`), HTTP auth headers (`Authorization:`, `X-Emby-Authorization:`), Bearer tokens, and basic-auth credentials in URLs. |
 | **HTTP headers** | Helmet v7: CSP with per-request nonce (`crypto.randomBytes(16)` for inline styles/scripts), HSTS, `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`. |
 | **Body size** | `express.json` body limit: 64 KB. |

CHANGELOG.md

@@ -4,6 +4,156 @@ All notable changes to this project will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.28] - 2026-05-27
+
+### Fixed
+
+- **Missing Sonarr Link on TV Requests (Issue #58)** — Resolved a bug where the Sonarr deep-link button was missing on TV request cards while Radarr links correctly appeared on movie request cards. Added support for all camelCase TVDB ID variants (`tvDbId`, `tvdbId`, `theTvdbId`, `theTvDbId`, `TvDbId`, `TheTvDbId`) on both backend link decoration (`server/utils/ombiHelpers.js`) and frontend rendering (`client/src/ui/requests.js`). Added a dedicated integration test to safeguard links decoration for TV requests.
+
+## [1.7.27] - 2026-05-27
+
+### Fixed
+
+- **Frontend Dashboard Serve Regression (Issue #57)** — Resolved a critical regression where the Vite-built frontend dashboard UI was not served. Consolidated Express configurations by migrating static files serving and SPA routing into the `createApp` factory in `server/app.js`. Cleaned up `server/index.js` to import and instantiate the app from the factory, successfully eliminating over 300 lines of duplicate route and middleware registrations, and ensuring alignment between development testing and production runtime configurations.
+
+## [1.7.26] - 2026-05-27
+
+### Fixed
+
+- **Missing Ombi & *Arr Request Links (Issue #56)** — Resolved an issue where the Ombi and *Arr lookup buttons failed to appear against request cards. Added `decorateRequestsWithArrLinks` to aggregate IDs and query Radarr/Sonarr libraries during SSE stream decoration and backend REST fetching. Also fixed a frontend condition failing to generate Ombi links for TV requests by checking a broader set of ID properties (`theTvDbId`, `theTmdbId`, `imdbId`).
+
+## [1.7.25] - 2026-05-27
+
+### Fixed
+
+- **Ombi TV Request Status, User, and Date Resolution (Issue #53)** — Resolved the root cause where Ombi TV show requests consistently displayed "unknown" status, "unknown" user, and missing request dates. The Ombi API nests all TV request data (`requestedUser`, `approved`, `available`, `denied`, `requested`, `requestedDate`) inside `childRequests[]` sub-objects, while the application previously only inspected top-level properties.
+  - `OmbiRetriever._hydrateRequest()` now hydrates `requestedUser` on each `childRequests` entry and promotes `requestedDate` from `childRequests[0]` to the top level.
+  - `getRequestStatus()` (server and client) now aggregates status flags from `childRequests[]` when top-level properties are absent.
+  - Client-side date display now falls back to `childRequests[0].requestedDate` as a defensive measure.
+
+## [1.7.24] - 2026-05-27
+
+### Enhanced
+
+- **Gitea Actions Prioritization** — Optimized CI/CD workflow pipeline executions to prioritize critical `build-image` Docker compilation runs. Redundant security audits, tests, coverage generation, and RAML packages are now bypassed on `release/**` branches (which have already passed validation during development on `develop`).
+- **Workflow Concurrency Controls** — Configured active concurrency groups with `cancel-in-progress: true` inside both `ci.yml` and `build-image.yml` pipelines, ensuring obsolete running jobs are aborted instantly when newer commits are pushed.
+
+## [1.7.23] - 2026-05-27
+
+### Enhanced
+
+- **Request Card Link Alignment (Issue #55)** — Aligned deep links on request cards (Ombi link and administrator Sonarr/Radarr deep links) with the elegant, inline `.service-icon` styling used across the downloads and history dashboard cards. Replaced bulky button elements with clean hoverable icons in a shared `.service-icons-container`, maintaining strict administrator-only visibility for *arr links.
+
+## [1.7.22] - 2026-05-27
+
+### Fixed
+
+- **Theme Switcher Multi-Button Support (Issue #54)** — Resolved a frontend bug where themes other than Light failed to apply because the Javascript code queried a non-existent `#theme-toggle` element. Re-engineered the switcher to query all `.theme-btn` selectors inside `.theme-switcher`, managing and toggling the active class styling across `light`, `dark`, and `mono` themes, and cleanly persisting choices to local storage.
+- **Ombi TV Requester User Extraction Fallback (Issue #53)** — Resolved a bug where TV show requests from Ombi displayed as "unknown" user because requester attributes were nested under non-standard properties (`user`, `requestedBy`, `ombiUser`, `requestedByUser`, and nested seasons/child requests arrays). Added robust multi-layer extraction logic on both backend and frontend layers to resolve requester usernames under all TV request structures.
+- **Configurable Webhook Commit Delay & Retry Loop (Issue #53)** — Mitigated race conditions between Ombi webhook events and database commits by introducing a configurable `OMBI_WEBHOOK_REFRESH_DELAY_MS` delay (defaulting to `2000`) and a smart 3-attempt retry polling loop to verify updated requester data before cache updates.
+
+### Added
+
+- **Admin Request Card *arr Library Lookup (Issue #53)** — Added library deep-link lookup for admin views. Request cards now query Sonarr and Radarr library caches and dynamically render deep-link navigation icons in the card actions container if the item exists.
+- **Request Date/Time Presentation** — Added request date and time display inside request cards formatted as `YYYY-MM-DD HH:MM`.
+- **Unknown (Ombi) Dotted Underline Tooltip** — Added user-friendly placeholder "Unknown (Ombi)" with dotted underline and explanatory hover tooltip when user details are unavailable from the Ombi database.
+- **Expanded Test Coverage** — Introduced two new frontend DOM test suites (`tests/frontend/ui/theme.test.js` and `tests/frontend/ui/requests.test.js`) and robust backend unit test assertions in `tests/unit/ombiHelpers.test.js`.
+
+---
+
+## [1.7.21] - 2026-05-26
+
+### Fixed
+
+- **Ombi Webhook Test Loopback Fallback** — Resolved a persistent failure on the Ombi webhook test button when Sofarr sits behind a reverse proxy or in loopback-restricted environments. When the outbound request to the public webhook URL (`SOFARR_BASE_URL`) fails due to loopback/NAT routing limits, the server now transparently falls back to a secure local loopback request (`127.0.0.1`) with smart TLS detection and SSL error bypass (`rejectUnauthorized: false`).
+- **Resilient Webhook Mocks in Tests** — Updated integration test assertions to verify the loopback fallback path under both HTTP and HTTPS configurations, ensuring full compatibility across dev, test, and production container environments.
+
+---
+
+## [1.7.21] - 2026-05-26
+
+### Fixed
+
+- **Webhook Loopback & Hairpin NAT Connectivity** — Implemented a robust local loopback fallback inside the Ombi webhook testing endpoint to bypass NAT loopback and DNS resolution issues common in setups behind reverse proxies. When the outbound request to the public URL fails, the server automatically routes the request internally via `127.0.0.1` using automatic TLS credentials detection and SSL validation bypass for loopback requests. Added comprehensive integration tests verifying the fallback behavior.
+- **Dedicated Webhook Base URL Support** — Added support for a new `SOFARR_WEBHOOK_BASE_URL` environment variable inside `server/routes/sonarr.js`, `server/routes/radarr.js`, and `server/routes/ombi.js`. This allows setups behind reverse proxies to declare an internal/custom base URL specifically for webhooks, enabling Sonarr, Radarr, and Ombi to send webhook events directly to the server via internal container networking, resolving `503 Service Unavailable` errors.
+
+---
+
+## [1.7.20] - 2026-05-26
+
+### Fixed
+
+- **Ombi Requesting User Hydration (Issue #51)** — Resolved a bug where Sofarr displayed "Unknown" for the requesting user on requests even when the Ombi database contains valid user information. Added automatic requestedUser object hydration on the server side by fetching the full user list from `/api/v1/Identity/Users` and caching it in memory. If a request is missing the nested `requestedUser` details but possesses a valid `requestedUserId`, Sofarr automatically resolves and binds the user's username/alias. Added robust unit tests safeguarding the client and the retriever. Resolves Gitea Issue [#51](https://git.i3omb.com/Gandalf/sofarr/issues/51).
+
+### Changed
+
+- **Aligned Gitea Interaction Skill** — Updated `.windsurf/skills/gitea-interaction/SKILL.md` to align with the Antigravity `tea-interaction` hybrid interaction model guidelines, detailing when to use the editor extension versus the Gitea CLI.
+
+---
+
+## [1.7.19] - 2026-05-25
+
+### Fixed
+
+- **Requests Mobile CSS Overflow Fix (Issue #49)** — Resolved the remaining viewport overflow on narrow screens by adding `min-width: 0` to `.request-card` to allow proper flexbox and grid shrinking, reducing mobile `.main-tabs` padding to `0 8px`, and tightening `.requests-container` mobile padding to `8px`.
+- **Admin *arr Badge Links on Active Downloads (Issue #50)** — Fixed the missing Sonarr/Radarr badges and links on active downloads for admin users. Enabled robust `_instanceUrl` propagation during queue/history metadata compilation (`buildMetadataMaps`) and active matching (`DownloadMatcher.js`) to ensure link generation succeeds. Added complete schema documentation in OpenAPI.
+
+---
+
+## [1.7.18] - 2026-05-24
+
+### Fixed
+
+- **Mobile overflow on Requests tab** — Request cards no longer extend off the right edge of the screen on mobile browsers. Removed `white-space: nowrap` from `.request-title` to allow text truncation with ellipsis, added `overflow-x: hidden` to `.requests-list` as a safety net, and added `@media (max-width: 768px)` rules to reduce padding and tighten gaps on mobile. Resolves Gitea Issue [#49](https://git.i3omb.com/Gandalf/sofarr/issues/49).
+
+---
+
+## [1.7.17] - 2026-05-24
+
+### Fixed
+
+- **Blocklist-Search Persistent Failure (Regression from v1.7.16)** — Identified and corrected the true root cause of the blocklist-and-search feature being non-functional. The v1.7.16 fix correctly cast both sides of the queue ID comparison to `String`, but the lookup was performed against `downloadClientRegistry.getAllDownloads()`, which returns **raw download-client data** (qBittorrent, SABnzbd, etc.) that never has `arrQueueId` populated — that field is only assigned by `DownloadMatcher.js` during the SSE build phase from the *arr cache. For qBittorrent torrents specifically, `QBittorrentClient.normalizeDownload()` does not set `arrQueueId` at all, so the lookup always returned `undefined` and the request was rejected with `403`. The permission check in `POST /api/dashboard/blocklist-search` now looks up the queue record directly from the Sonarr/Radarr queue cache (`poll:sonarr-queue` / `poll:radarr-queue`) where `record.id` is the numeric queue ID, using `String()` casting on both sides to handle the DOM-dataset (string) vs API response (number) type difference. Resolves Gitea Issue [#48](https://git.i3omb.com/Gandalf/sofarr/issues/48) (regression).
+
+---
+
+## [1.7.16] - 2026-05-24
+
+### Fixed
+
+- **Blocklist-Search Queue ID Type Mismatch** — Resolved a bug where the "Blocklist and search" action consistently returned `403 Download not found or permission denied` for all users. The server-side download lookup in `server/routes/dashboard.js` used strict equality (`===`) to compare `arrQueueId` values, but the value sent from the SPA client (read from a DOM `data-*` attribute) is always a `string`, while the value populated from the Radarr/Sonarr queue API is a `number`. Both sides are now cast to `String` before comparison, resolving the false-negative match failure. Resolves Gitea Issue [#48](https://git.i3omb.com/Gandalf/sofarr/issues/48).
+
+---
+
+## [1.7.15] - 2026-05-24
+
+### Fixed
+
+- **Ombi Webhook Authentication Failures** — Resolved a critical issue where Ombi webhook notifications failed to authenticate because Ombi's built-in notification agent does not support custom HTTP headers (such as `X-Sofarr-Webhook-Secret`). Added a query parameter authentication fallback (`?secret=`) to all `/api/webhook/*` endpoints (Sonarr, Radarr, and Ombi) and configured Ombi webhook registration to automatically append this secret query parameter. Resolves Gitea Issue [#47](https://git.i3omb.com/Gandalf/sofarr/issues/47).
+
+---
+
+## [1.7.14] - 2026-05-24
+
+### Fixed
+
+- **Undefined Reference Error in Background Poller** — Resolved a critical runtime exception in the background scheduler loop (`server/utils/poller.js`) where `logToFile` was called on cache updates but was never imported at the top of the file, previously triggering `[Poller] Poll error: logToFile is not defined` on every interval loop.
+
+---
+
+## [1.7.13] - 2026-05-24
+
+### Changed
+
+- **Comprehensive OpenAPI & Swagger Specification Remediation** — Bumped the API documentation version to `1.7.13` and fully documented all operational rate-limiting configurations, exemptions, and bypasses in `server/openapi.yaml` (including general cover-art exclusions, failed-only login trackers, webhook limiters, and rate-limit exempt root health probes).
+- **Aligned Health Check Endpoint Implementation** — Enhanced the express application factory `/health` endpoint to dynamically require and return the active version from `package.json`, keeping it fully aligned with the production entrypoint server logic.
+- **Synchronized Security & System Architecture Docs** — Aligned security matrices and threat mitigations in `SECURITY.md` and rate-limiting testing configurations in `ARCHITECTURE.md`.
+
+### Added
+
+- **Swagger API Coverage Verification Integration** — Implemented comprehensive assertions within `tests/integration/swagger-coverage.test.js` to dynamically verify that all newly added logging and debug endpoints (`/api/debug/*`) are fully represented in the active specification, raising test suite coverage to 876 passing checks.
+
+---
+
 ## [1.7.12] - 2026-05-24
 
 ### Added

SECURITY.md

@@ -40,7 +40,7 @@ users via Emby. The primary threat surface when exposed to the public internet:
 | Privilege escalation (container) | Non-root user (UID 1000), `no-new-privileges`, all caps dropped |
 | Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
 | Dependency vulnerabilities | `npm audit --audit-level=high` in CI on every push |
-| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header; 401 on mismatch |
+| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header or `secret` query parameter; 401 on mismatch |
 | Webhook payload injection | `validatePayload()` allowlists 18 known event types; rejects non-object bodies and overlong fields |
 | Webhook replay attacks | `isReplay()` tracks `(eventType, instanceName, date)` tuples for 5 minutes; duplicate events return `200 { duplicate: true }` without cache mutation |
 | Webhook flood / DoS | Dedicated rate limiter: 60 requests/min per IP on `/api/webhook/*` |
@@ -162,12 +162,13 @@ server {
 
 ## Rate Limits
 
-| Endpoint | Limit |
-|----------|-------|
-| `POST /api/auth/login` | 10 failed attempts per 15 min per IP |
-| All `/api/*` routes | 300 requests per 15 min per IP |
-| `POST /api/webhook/*` | 60 requests per 1 min per IP (webhook-specific limiter, stricter than general) |
-| `GET /api/swagger` | No rate limit (public documentation) |
+| Endpoint | Limit | Details & Exemptions |
+|----------|-------|----------------------|
+| `POST /api/auth/login` | 10 attempts per 15 min per IP | **Only failed attempts count** (`skipSuccessfulRequests: true`). Successful requests are not counted. |
+| All `/api/*` routes | 300 requests per 15 min per IP | General rate limiting. **Exempts `/api/dashboard/cover-art` requests** to avoid page layout image loading exhaustion. |
+| `POST /api/webhook/*` | 60 requests per 1 min per IP | Webhook-specific limiter, stricter than general. |
+| `/health` and `/ready` | Exempt | Root-level liveness/readiness probes bypass rate limiters completely. |
+| `GET /api/swagger` | Exempt | Public Swagger UI documentation does not enforce rate limits. |
 
 ---
 

client/src/ui/requests.js

@@ -17,17 +17,52 @@ import { applyRequestFilters, getRequestStatus } from '../utils/ombiFilters.js';
 function extractRequestedUser(request) {
   if (!request) return '';
 
-  // Handle object format: OmbiStore.Entities.OmbiUser
-  if (request.requestedUser && typeof request.requestedUser === 'object') {
-    // Priority: alias > userAlias > userName > normalizedUserName > requestedByAlias
-    return request.requestedUser.alias || 
-           request.requestedUser.userAlias || 
-           request.requestedUser.userName || 
-           request.requestedUser.normalizedUserName || 
-           request.requestedByAlias || '';
+  // Try to locate a user object or string from various fields common to Ombi Movies and TV shows
+  const userSource = request.requestedUser || request.RequestedUser ||
+                     request.user || request.User ||
+                     request.requestedBy || request.RequestedBy ||
+                     request.ombiUser || request.OmbiUser ||
+                     request.requestedByUser || request.RequestedByUser;
+
+  // If userSource is an object, extract key fields
+  if (userSource && typeof userSource === 'object') {
+    const username = userSource.alias || userSource.Alias ||
+                     userSource.userAlias || userSource.UserAlias ||
+                     userSource.userName || userSource.UserName ||
+                     userSource.normalizedUserName || userSource.NormalizedUserName ||
+                     userSource.displayName || userSource.DisplayName ||
+                     userSource.email || userSource.Email;
+    if (username) return username;
   }
-  // Handle string format (fallback for compatibility)
-  return request.requestedUser || request.requestedByAlias || '';
+
+  // If userSource is a string
+  if (userSource && typeof userSource === 'string') {
+    return userSource;
+  }
+
+  // Fallbacks on the request root level
+  const rootFallback = request.requestedByAlias || request.RequestedByAlias ||
+                       request.requestedByUsername || request.RequestedByUsername ||
+                       request.requester || request.Requester ||
+                       request.requestedByEmail || request.RequestedByEmail;
+  if (rootFallback) return rootFallback;
+
+  // Check seasons / childRequests nested arrays (common for Ombi TV show requests)
+  if (Array.isArray(request.seasons)) {
+    for (const season of request.seasons) {
+      const seasonUser = extractRequestedUser(season);
+      if (seasonUser) return seasonUser;
+    }
+  }
+  
+  if (Array.isArray(request.childRequests)) {
+    for (const child of request.childRequests) {
+      const childUser = extractRequestedUser(child);
+      if (childUser) return childUser;
+    }
+  }
+
+  return '';
 }
 
 export function renderRequests() {
@@ -111,11 +146,39 @@ function createRequestCard(request) {
   }
 
   const username = extractRequestedUser(request);
+  const user = document.createElement('span');
+  user.className = 'request-user';
   if (username) {
-    const user = document.createElement('span');
-    user.className = 'request-user';
     user.textContent = `Requested by: ${username}`;
-    meta.appendChild(user);
+  } else {
+    user.textContent = 'Requested by: Unknown (Ombi)';
+    user.title = 'No user information received from Ombi';
+    user.style.cursor = 'help';
+    user.style.textDecoration = 'underline dotted';
+  }
+  meta.appendChild(user);
+
+  const childDate = request.childRequests && request.childRequests[0] ? (request.childRequests[0].requestedDate || request.childRequests[0].RequestedDate) : null;
+  const dateStr = request.requestedDate || request.RequestedDate || request.date || request.Date || childDate;
+  if (dateStr) {
+    const requestDate = document.createElement('span');
+    requestDate.className = 'request-date';
+    try {
+      const dateObj = new Date(dateStr);
+      if (!isNaN(dateObj.getTime())) {
+        const year = dateObj.getFullYear();
+        const month = String(dateObj.getMonth() + 1).padStart(2, '0');
+        const day = String(dateObj.getDate()).padStart(2, '0');
+        const hours = String(dateObj.getHours()).padStart(2, '0');
+        const minutes = String(dateObj.getMinutes()).padStart(2, '0');
+        requestDate.textContent = `Date: ${year}-${month}-${day} ${hours}:${minutes}`;
+      } else {
+        requestDate.textContent = `Date: ${dateStr}`;
+      }
+    } catch (e) {
+      requestDate.textContent = `Date: ${dateStr}`;
+    }
+    meta.appendChild(requestDate);
   }
 
   if (request.quality) {
@@ -128,25 +191,42 @@ function createRequestCard(request) {
   content.appendChild(title);
   content.appendChild(meta);
 
-  const actions = document.createElement('div');
-  actions.className = 'request-actions';
+  const actions = document.createElement('span');
+  actions.className = 'service-icons-container';
 
-  if (state.ombiBaseUrl && request.theMovieDbId) {
+  const id = request.theTvDbId || request.theTvdbId || request.tvDbId || request.tvdbId || request.TvDbId || request.TheTvDbId || request.theMovieDbId || request.theTmdbId || request.imdbId || request.ImdbId;
+  if (state.ombiBaseUrl && id) {
     const ombiLink = document.createElement('a');
-    ombiLink.className = 'request-link ombi-link';
-    ombiLink.href = `${state.ombiBaseUrl}/details/${request.mediaType || 'movie'}/${request.theMovieDbId}`;
+    ombiLink.className = 'ombi-link';
+    ombiLink.href = `${state.ombiBaseUrl}/details/${request.mediaType || 'movie'}/${id}`;
     ombiLink.target = '_blank';
     ombiLink.title = 'View in Ombi';
     
     const ombiIcon = document.createElement('img');
+    ombiIcon.className = 'service-icon ombi';
     ombiIcon.src = '/images/ombi.svg';
     ombiIcon.alt = 'Ombi';
-    ombiIcon.className = 'request-icon';
     
     ombiLink.appendChild(ombiIcon);
     actions.appendChild(ombiLink);
   }
 
+  if (state.isAdmin && request.arrLink) {
+    const arrLink = document.createElement('a');
+    arrLink.className = `${request.arrType}-link`;
+    arrLink.href = request.arrLink;
+    arrLink.target = '_blank';
+    arrLink.title = `View in ${request.arrType === 'sonarr' ? 'Sonarr' : 'Radarr'}`;
+    
+    const arrIcon = document.createElement('img');
+    arrIcon.className = `service-icon ${request.arrType}`;
+    arrIcon.src = request.arrType === 'sonarr' ? '/images/sonarr.svg' : '/images/radarr.svg';
+    arrIcon.alt = request.arrType === 'sonarr' ? 'Sonarr' : 'Radarr';
+    
+    arrLink.appendChild(arrIcon);
+    actions.appendChild(arrLink);
+  }
+
   card.appendChild(typeIcon);
   card.appendChild(content);
   card.appendChild(actions);

client/src/ui/theme.js

@@ -4,24 +4,43 @@ import { getTheme, saveTheme } from '../utils/storage.js';
 
 // Apply saved theme immediately on load
 (function applyTheme() {
-  const theme = getTheme();
-  if (theme) {
-    document.documentElement.setAttribute('data-theme', theme);
-  }
+  const theme = getTheme() || 'light';
+  document.documentElement.setAttribute('data-theme', theme);
 })();
 
 export function initThemeSwitcher() {
-  const themeToggle = document.getElementById('theme-toggle');
-  if (!themeToggle) return;
+  const themeButtons = document.querySelectorAll('.theme-btn');
+  const currentTheme = getTheme() || 'light';
   
-  themeToggle.addEventListener('click', () => {
-    const currentTheme = getTheme();
-    const newTheme = currentTheme === 'dark' ? 'light' : 'dark';
-    setTheme(newTheme);
+  // Set initial active state on buttons
+  themeButtons.forEach(btn => {
+    if (btn.getAttribute('data-theme') === currentTheme) {
+      btn.classList.add('active');
+    } else {
+      btn.classList.remove('active');
+    }
+    
+    btn.addEventListener('click', () => {
+      const theme = btn.getAttribute('data-theme');
+      if (theme) {
+        setTheme(theme);
+      }
+    });
   });
 }
 
 export function setTheme(theme) {
   document.documentElement.setAttribute('data-theme', theme);
   saveTheme(theme);
+  
+  // Sync button active classes if elements are present on the page
+  const themeButtons = document.querySelectorAll('.theme-btn');
+  themeButtons.forEach(btn => {
+    if (btn.getAttribute('data-theme') === theme) {
+      btn.classList.add('active');
+    } else {
+      btn.classList.remove('active');
+    }
+  });
 }
+

client/src/utils/ombiFilters.js

@@ -17,6 +17,23 @@ export function getRequestStatus(request) {
   if (request.denied) return 'denied';
   if (request.approved) return 'approved';
   if (request.requested) return 'pending';
+
+  // Ombi TV requests store status flags inside childRequests
+  if (Array.isArray(request.childRequests) && request.childRequests.length > 0) {
+    for (const child of request.childRequests) {
+      if (child && child.available) return 'available';
+    }
+    for (const child of request.childRequests) {
+      if (child && child.denied) return 'denied';
+    }
+    for (const child of request.childRequests) {
+      if (child && child.approved) return 'approved';
+    }
+    for (const child of request.childRequests) {
+      if (child && child.requested) return 'pending';
+    }
+  }
+
   return 'unknown';
 }
 

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "sofarr",
-  "version": "1.7.12",
+  "version": "1.7.28",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "sofarr",
-      "version": "1.7.12",
+      "version": "1.7.28",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sofarr",
-  "version": "1.7.12",
+  "version": "1.7.28",
   "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
   "main": "server/index.js",
   "scripts": {

public/style.css

@@ -1888,6 +1888,23 @@ body {
 
 /* ===== Mobile ===== */
 @media (max-width: 768px) {
+  .main-tabs {
+    padding: 0 8px;
+  }
+
+  .requests-container {
+    padding: 8px;
+  }
+
+  .request-card {
+    gap: 8px;
+    padding: 10px;
+  }
+
+  .request-meta {
+    gap: 4px;
+  }
+
   .app {
     padding: 10px;
   }
@@ -2234,6 +2251,7 @@ body {
 .requests-list {
   display: grid;
   gap: 12px;
+  overflow-x: hidden;
 }
 
 .request-card {
@@ -2245,6 +2263,7 @@ body {
   border: 1px solid var(--border);
   border-radius: 8px;
   transition: box-shadow 0.2s ease, border-color 0.2s ease;
+  min-width: 0;
 }
 
 .request-card:hover {
@@ -2273,7 +2292,6 @@ body {
   font-weight: 600;
   color: var(--text-primary);
   margin-bottom: 4px;
-  white-space: nowrap;
   overflow: hidden;
   text-overflow: ellipsis;
 }

server/app.js

@@ -15,6 +15,8 @@ const swaggerUi = require('swagger-ui-express');
 const swaggerJsdoc = require('swagger-jsdoc');
 const YAML = require('yamljs');
 const path = require('path');
+const fs = require('fs');
+const { version } = require('../package.json');
 
 const sabnzbdRoutes = require('./routes/sabnzbd');
 const sonarrRoutes = require('./routes/sonarr');
@@ -128,13 +130,17 @@ function createApp({ skipRateLimits = false } = {}) {
    *                   type: number
    *                   description: Server uptime in seconds
    *                   example: 3600.5
+   *                 version:
+   *                   type: string
+   *                   description: sofarr version
+   *                   example: "1.7.28"
    *     x-code-samples:
    *       - lang: curl
    *         label: cURL
    *         source: curl http://localhost:3001/health
    */
   app.get('/health', (req, res) => {
-    res.json({ status: 'ok', uptime: process.uptime() });
+    res.json({ status: 'ok', uptime: process.uptime(), version });
   });
 
   /**
@@ -227,6 +233,44 @@ function createApp({ skipRateLimits = false } = {}) {
   app.use('/api/status', statusRoutes);
   app.use('/api/history', historyRoutes);
 
+  // ---------------------------------------------------------------------------
+  // Static files — served before API routes
+  // index.html is served manually so we can inject the CSP nonce
+  // ---------------------------------------------------------------------------
+  const PUBLIC_DIR = path.join(__dirname, '../public');
+  const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
+
+  // Serve all static assets (js, css, images, icons) except index.html.
+  // JS and CSS get no-cache so browsers revalidate on every load (ETag still
+  // avoids re-downloading unchanged files; only a deploy changes the ETag).
+  app.use(express.static(PUBLIC_DIR, {
+    index: false,
+    setHeaders(res, filePath) {
+      if (filePath.endsWith('.js') || filePath.endsWith('.css')) {
+        res.setHeader('Cache-Control', 'no-cache');
+      }
+    }
+  }));
+
+  // Serve index.html with CSP nonce injected into <script> tags
+  function serveIndex(req, res) {
+    fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
+      if (err) return res.status(500).send('Internal Server Error');
+      const nonce = res.locals.cspNonce;
+      // Only inject nonce into <script> tags — style-src 'self' already permits
+      // same-origin <link rel=stylesheet> without a nonce, and injecting a nonce
+      // onto <link> breaks mobile browsers / caching proxies (stale HTML carries
+      // the old nonce which no longer matches the per-request CSP header).
+      const patched = html
+        .replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`);
+      res.setHeader('Content-Type', 'text/html; charset=utf-8');
+      res.send(patched);
+    });
+  }
+
+  // SPA catch-all — serve index.html for any unmatched path
+  app.get('*', serveIndex);
+
   // Global error handler
   // eslint-disable-next-line no-unused-vars
   app.use((err, req, res, next) => {

server/clients/OmbiClient.js

@@ -125,6 +125,20 @@ class OmbiClient {
       return false;
     }
   }
+
+  /**
+   * Get all users from Ombi
+   * @returns {Promise<Array>} Array of user objects
+   */
+  async getUsers() {
+    try {
+      const response = await this.axios.get(`${this.url}/api/v1/Identity/Users`);
+      return response.data || [];
+    } catch (error) {
+      logToFile(`[OmbiClient] Get users error: ${error.message}`);
+      return [];
+    }
+  }
 }
 
 module.exports = OmbiClient;

server/clients/OmbiRetriever.js

@@ -16,8 +16,10 @@ class OmbiRetriever extends ArrRetriever {
     this.cache = {
       movieRequests: [],
       tvRequests: [],
+      users: [],
       movieMap: new Map(), // tmdbId -> request
       tvMap: new Map(),    // tvdbId -> request
+      userMap: new Map(),  // id -> user
       lastFetch: 0,
       ttl: 5 * 60 * 1000  // 5 minutes TTL
     };
@@ -98,20 +100,32 @@ class OmbiRetriever extends ArrRetriever {
     try {
       logToFile('[OmbiRetriever] Refreshing cache');
       
-      // Fetch requests in parallel
-      const [movieRequests, tvRequests] = await Promise.all([
+      // Fetch requests and users in parallel
+      const [movieRequests, tvRequests, users] = await Promise.all([
         this.client.getMovieRequests(),
-        this.client.getTvRequests()
+        this.client.getTvRequests(),
+        this.client.getUsers()
       ]);
 
       // Update cache
       this.cache.movieRequests = movieRequests;
       this.cache.tvRequests = tvRequests;
+      this.cache.users = users;
       this.cache.lastFetch = Date.now();
 
       // Build lookup maps
       this.cache.movieMap.clear();
       this.cache.tvMap.clear();
+      this.cache.userMap.clear();
+
+      // Build user map (id -> user)
+      if (Array.isArray(users)) {
+        users.forEach(user => {
+          if (user && user.id) {
+            this.cache.userMap.set(user.id, user);
+          }
+        });
+      }
 
       // Build movie map (tmdbId -> request)
       movieRequests.forEach(request => {
@@ -133,13 +147,102 @@ class OmbiRetriever extends ArrRetriever {
         }
       });
 
-      logToFile(`[OmbiRetriever] Cache refreshed: ${movieRequests.length} movies, ${tvRequests.length} TV shows`);
+      logToFile(`[OmbiRetriever] Cache refreshed: ${movieRequests.length} movies, ${tvRequests.length} TV shows, ${users.length} users`);
     } catch (error) {
       logToFile(`[OmbiRetriever] Cache refresh failed: ${error.message}`);
       // Don't throw error, continue with stale cache if available
     }
   }
 
+  /**
+   * Hydrates requestedUser on a single request using the userMap cache
+   * @param {Object} req - The request object
+   * @returns {Object} Hydrated request object
+   * @private
+   */
+  _hydrateRequest(req) {
+    if (!req) return req;
+
+    let result = req;
+
+    const reqUserId = req.requestedUserId || req.RequestedUserId;
+    if (reqUserId && this.cache.userMap.has(reqUserId)) {
+      const cachedUser = this.cache.userMap.get(reqUserId);
+
+      let requestedUser = req.requestedUser || req.RequestedUser;
+
+      // If requestedUser is not an object or is empty/null, populate it
+      if (!requestedUser || typeof requestedUser !== 'object' || Object.keys(requestedUser).length === 0) {
+        const hydratedUser = {
+          id: cachedUser.id,
+          userName: cachedUser.userName,
+          alias: cachedUser.alias || cachedUser.Alias || '',
+          userAlias: cachedUser.userAlias || cachedUser.UserAlias || '',
+          normalizedUserName: cachedUser.normalizedUserName || cachedUser.NormalizedUserName || ''
+        };
+
+        result = {
+          ...req,
+          requestedUser: hydratedUser,
+          RequestedUser: hydratedUser
+        };
+      }
+    }
+
+    // Hydrate childRequests (common for Ombi TV show requests)
+    if (Array.isArray(result.childRequests) && result.childRequests.length > 0) {
+      const hydratedChildren = result.childRequests.map(child => {
+        if (!child) return child;
+
+        const childUserId = child.requestedUserId || child.RequestedUserId;
+        if (childUserId && this.cache.userMap.has(childUserId)) {
+          const cachedUser = this.cache.userMap.get(childUserId);
+          let childUser = child.requestedUser || child.RequestedUser;
+
+          if (!childUser || typeof childUser !== 'object' || Object.keys(childUser).length === 0) {
+            const hydratedUser = {
+              id: cachedUser.id,
+              userName: cachedUser.userName,
+              alias: cachedUser.alias || cachedUser.Alias || '',
+              userAlias: cachedUser.userAlias || cachedUser.UserAlias || '',
+              normalizedUserName: cachedUser.normalizedUserName || cachedUser.NormalizedUserName || ''
+            };
+
+            return {
+              ...child,
+              requestedUser: hydratedUser,
+              RequestedUser: hydratedUser
+            };
+          }
+        }
+        return child;
+      });
+
+      result = { ...result, childRequests: hydratedChildren };
+    }
+
+    // Promote requestedDate from childRequests to top level (common for Ombi TV)
+    if (!result.requestedDate && Array.isArray(result.childRequests) && result.childRequests.length > 0) {
+      const childDate = result.childRequests[0].requestedDate || result.childRequests[0].RequestedDate;
+      if (childDate) {
+        result = { ...result, requestedDate: childDate };
+      }
+    }
+
+    return result;
+  }
+
+  /**
+   * Hydrates requestedUser on a list of requests using the userMap cache
+   * @param {Array} requests - Array of request objects
+   * @returns {Array} Array of hydrated request objects
+   * @private
+   */
+  _hydrateRequests(requests) {
+    if (!Array.isArray(requests)) return [];
+    return requests.map(req => this._hydrateRequest(req));
+  }
+
   /**
    * Get all movie requests
    * @param {boolean} force - Whether to force refresh from API
@@ -147,7 +250,7 @@ class OmbiRetriever extends ArrRetriever {
    */
   async getMovieRequests(force = false) {
     await this.refreshCache(force);
-    return this.cache.movieRequests;
+    return this._hydrateRequests(this.cache.movieRequests);
   }
 
   /**
@@ -157,7 +260,7 @@ class OmbiRetriever extends ArrRetriever {
    */
   async getTvRequests(force = false) {
     await this.refreshCache(force);
-    return this.cache.tvRequests;
+    return this._hydrateRequests(this.cache.tvRequests);
   }
 
   /**
@@ -171,12 +274,12 @@ class OmbiRetriever extends ArrRetriever {
     
     // Try TMDB ID first
     if (tmdbId && this.cache.movieMap.has(tmdbId)) {
-      return this.cache.movieMap.get(tmdbId);
+      return this._hydrateRequest(this.cache.movieMap.get(tmdbId));
     }
     
     // Try IMDB ID as fallback
     if (imdbId && this.cache.movieMap.has(imdbId)) {
-      return this.cache.movieMap.get(imdbId);
+      return this._hydrateRequest(this.cache.movieMap.get(imdbId));
     }
     
     return null;
@@ -193,12 +296,12 @@ class OmbiRetriever extends ArrRetriever {
     
     // Try TVDB ID first
     if (tvdbId && this.cache.tvMap.has(tvdbId)) {
-      return this.cache.tvMap.get(tvdbId);
+      return this._hydrateRequest(this.cache.tvMap.get(tvdbId));
     }
     
     // Try TMDB ID as fallback
     if (tmdbId && this.cache.tvMap.has(tmdbId)) {
-      return this.cache.tvMap.get(tmdbId);
+      return this._hydrateRequest(this.cache.tvMap.get(tmdbId));
     }
     
     return null;

server/index.js

@@ -82,20 +82,9 @@ console.error = function(...args) {
   logFile.write(`[${new Date().toISOString()}] ERROR: ${message}\n`);
 };
 
-const sabnzbdRoutes = require('./routes/sabnzbd');
-const sonarrRoutes = require('./routes/sonarr');
-const radarrRoutes = require('./routes/radarr');
-const embyRoutes = require('./routes/emby');
-const dashboardRoutes = require('./routes/dashboard');
-const statusRoutes = require('./routes/status');
-const historyRoutes = require('./routes/history');
-const authRoutes = require('./routes/auth');
-const webhookRoutes = require('./routes/webhook');
-const ombiRoutes = require('./routes/ombi');
-const debugRoutes = require('./routes/debug');
-const verifyCsrf = require('./middleware/verifyCsrf');
 const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
 const { validateInstanceUrl } = require('./utils/config');
+const { createApp } = require('./app');
 
 // ---------------------------------------------------------------------------
 // Startup environment validation
@@ -117,284 +106,10 @@ if (process.env.EMBY_URL) {
   validateInstanceUrl(process.env.EMBY_URL, 'EMBY_URL');
 }
 
-const app = express();
+const app = createApp();
 const PORT = process.env.PORT || 3001;
-
-// Load OpenAPI spec from YAML
-const openapiSpec = YAML.load(path.join(__dirname, 'openapi.yaml'));
-
-// Configure swagger-jsdoc to merge JSDoc comments from route files
-const swaggerOptions = {
-  definition: {
-    ...openapiSpec,
-    openapi: '3.1.0'
-  },
-  apis: [
-    path.join(__dirname, 'routes/*.js'),
-    path.join(__dirname, 'index.js')
-  ]
-};
-
-const swaggerSpec = swaggerJsdoc(swaggerOptions);
-
-// Resolve TLS_ENABLED early — used in Helmet CSP and server startup
 const TLS_ENABLED = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
 
-// ---------------------------------------------------------------------------
-// Trust proxy — required when behind Nginx/Caddy/Traefik so that
-// req.ip reflects the real client IP (not 127.0.0.1) and
-// req.secure is true when the upstream TLS is terminated by the proxy.
-// Set TRUST_PROXY=1 (or a specific IP/CIDR) via env.
-// ---------------------------------------------------------------------------
-if (process.env.TRUST_PROXY) {
-  const trustValue = /^\d+$/.test(process.env.TRUST_PROXY)
-    ? parseInt(process.env.TRUST_PROXY, 10)
-    : process.env.TRUST_PROXY;
-  app.set('trust proxy', trustValue);
-}
-
-// ---------------------------------------------------------------------------
-// Helmet v7 — security response headers
-// CSP uses a per-request nonce injected into index.html so inline scripts
-// and styles are allowed only with a valid nonce, not blanket unsafe-inline.
-// ---------------------------------------------------------------------------
-app.use((req, res, next) => {
-  // Generate a fresh nonce for every request
-  res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
-  next();
-});
-
-app.use((req, res, next) => {
-  helmet({
-    contentSecurityPolicy: {
-      directives: {
-        defaultSrc: ["'self'"],
-        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
-        imgSrc: ["'self'", 'data:', 'blob:'],
-        fontSrc: ["'self'", 'data:'],
-        connectSrc: ["'self'"],
-        objectSrc: ["'none'"],
-        baseUri: ["'self'"],
-        frameAncestors: ["'none'"],
-        formAction: ["'self'"],
-        upgradeInsecureRequests: (process.env.TRUST_PROXY || TLS_ENABLED) ? [] : null
-      }
-    },
-    hsts: {
-      maxAge: 31536000,       // 1 year
-      includeSubDomains: true,
-      preload: true
-    },
-    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
-    crossOriginEmbedderPolicy: false // not needed for this SPA
-  })(req, res, next);
-});
-
-// Permissions-Policy — disable powerful browser features not needed by the app
-app.use((req, res, next) => {
-  res.setHeader(
-    'Permissions-Policy',
-    'camera=(), microphone=(), geolocation=(), payment=(), usb=()'
-  );
-  next();
-});
-
-// ---------------------------------------------------------------------------
-// General API rate limiter — applies to all /api/* routes
-// More specific limiters (e.g. login) apply on top of this.
-// ---------------------------------------------------------------------------
-const apiLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,   // 15 minutes
-  max: 300,                    // 300 requests per IP per window (generous for polling)
-  standardHeaders: true,
-  legacyHeaders: false,
-  skip: (req) => req.originalUrl && req.originalUrl.startsWith('/api/dashboard/cover-art'),
-  message: { error: 'Too many requests, please try again later' }
-});
-
-// ---------------------------------------------------------------------------
-// Body parsing & cookies
-// ---------------------------------------------------------------------------
-app.use(cookieParser(cookieSecret || undefined));
-app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
-
-// ---------------------------------------------------------------------------
-// Health / readiness endpoints (no auth, no rate-limit)
-// Used by Docker HEALTHCHECK and orchestrators.
-// ---------------------------------------------------------------------------
-/**
- * @openapi
- * /health:
- *   get:
- *     tags: [Health]
- *     summary: Health check
- *     description: Returns server uptime and status. No authentication required. Used for liveness probes.
- *     security: []
- *     responses:
- *       '200':
- *         description: Server is healthy
- *         content:
- *           application/json:
- *             schema:
- *               type: object
- *               properties:
- *                 status:
- *                   type: string
- *                   example: "ok"
- *                 uptime:
- *                   type: number
- *                   description: Server uptime in seconds
- *                   example: 3600.5
- *                 version:
- *                   type: string
- *                   description: sofarr version
- *                   example: "1.6.0"
- */
-app.get('/health', (req, res) => {
-  res.json({ status: 'ok', uptime: process.uptime(), version });
-});
-
-/**
- * @openapi
- * /ready:
- *   get:
- *     tags: [Health]
- *     summary: Readiness check
- *     description: Checks if critical configuration (EMBY_URL) is present. Used by Docker HEALTHCHECK and orchestrators. No authentication required.
- *     security: []
- *     responses:
- *       '200':
- *         description: Server is ready
- *         content:
- *           application/json:
- *             schema:
- *               type: object
- *               properties:
- *                 status:
- *                   type: string
- *                   example: "ready"
- *       '503':
- *         description: Server not ready
- *         content:
- *           application/json:
- *             schema:
- *               type: object
- *               properties:
- *                 status:
- *                   type: string
- *                   example: "not ready"
- *                 reason:
- *                   type: string
- *                   example: "EMBY_URL not configured"
- */
-app.get('/ready', (req, res) => {
-  // Confirm critical config is present
-  const ready = !!(process.env.EMBY_URL);
-  if (ready) {
-    res.json({ status: 'ready' });
-  } else {
-    res.status(503).json({ status: 'not ready', reason: 'EMBY_URL not configured' });
-  }
-});
-
-// ---------------------------------------------------------------------------
-// Swagger UI - publicly accessible API documentation
-// ---------------------------------------------------------------------------
-app.use('/api/swagger', swaggerUi.serve, swaggerUi.setup(null, {
-  customSiteTitle: 'sofarr API Documentation',
-  customCss: '.swagger-ui .topbar { display: none }',
-  customJs: [
-    '/swagger-auth-banner.js'
-  ],
-  swaggerOptions: {
-    url: '/api/swagger.json'
-  }
-}));
-
-// Serve the raw OpenAPI spec as JSON with dynamic server URL
-app.get('/api/swagger.json', (req, res) => {
-  // Clone the spec to avoid modifying the original
-  const specCopy = JSON.parse(JSON.stringify(swaggerSpec));
-  
-  // Replace the server URL with the current request's origin
-  if (specCopy.servers && specCopy.servers.length > 0) {
-    const protocol = req.protocol;
-    const host = req.get('host');
-    specCopy.servers[0].url = `${protocol}://${host}`;
-  }
-  
-  res.json(specCopy);
-});
-
-// ---------------------------------------------------------------------------
-// Static files — served before API routes
-// index.html is served manually so we can inject the CSP nonce
-// ---------------------------------------------------------------------------
-const PUBLIC_DIR = path.join(__dirname, '../public');
-const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
-
-// Serve all static assets (js, css, images, icons) except index.html.
-// JS and CSS get no-cache so browsers revalidate on every load (ETag still
-// avoids re-downloading unchanged files; only a deploy changes the ETag).
-app.use(express.static(PUBLIC_DIR, {
-  index: false,
-  setHeaders(res, filePath) {
-    if (filePath.endsWith('.js') || filePath.endsWith('.css')) {
-      res.setHeader('Cache-Control', 'no-cache');
-    }
-  }
-}));
-
-// Serve index.html with CSP nonce injected into <script> tags
-function serveIndex(req, res) {
-  fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
-    if (err) return res.status(500).send('Internal Server Error');
-    const nonce = res.locals.cspNonce;
-    // Only inject nonce into <script> tags — style-src 'self' already permits
-    // same-origin <link rel=stylesheet> without a nonce, and injecting a nonce
-    // onto <link> breaks mobile browsers / caching proxies (stale HTML carries
-    // the old nonce which no longer matches the per-request CSP header).
-    const patched = html
-      .replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`);
-    res.setHeader('Content-Type', 'text/html; charset=utf-8');
-    res.send(patched);
-  });
-}
-
-// ---------------------------------------------------------------------------
-// API routes (rate-limited; auth routes exempt CSRF for login/csrf endpoints)
-// CSRF protection applies to all state-changing /api/* requests except
-// /api/auth/login (pre-auth) and /api/auth/csrf (issues the token).
-// ---------------------------------------------------------------------------
-app.use('/api', apiLimiter);
-app.use('/api/auth', authRoutes);
-app.use('/api/webhook', webhookRoutes);
-app.use('/api/debug', debugRoutes);
-
-// All routes below this point require CSRF validation on mutating methods
-app.use('/api', verifyCsrf);
-app.use('/api/sabnzbd', sabnzbdRoutes);
-app.use('/api/sonarr', sonarrRoutes);
-app.use('/api/radarr', radarrRoutes);
-app.use('/api/emby', embyRoutes);
-app.use('/api/ombi', ombiRoutes);
-app.use('/api/dashboard', dashboardRoutes);
-app.use('/api/status', statusRoutes);
-app.use('/api/history', historyRoutes);
-
-// SPA catch-all — serve index.html for any unmatched path
-app.get('*', serveIndex);
-
-// ---------------------------------------------------------------------------
-// Global error handler — never leak stack traces to clients
-// ---------------------------------------------------------------------------
-// eslint-disable-next-line no-unused-vars
-app.use((err, req, res, next) => {
-  console.error('[Server] Unhandled error:', err.message);
-  res.status(500).json({ error: 'Internal server error' });
-});
-
 // ---------------------------------------------------------------------------
 // TLS / HTTPS support
 // Set TLS_CERT and TLS_KEY to paths of your certificate and private key.

server/openapi.yaml

@@ -12,13 +12,17 @@ info:
     4. Subsequent requests must include the cookies and send the `X-CSRF-Token` header for state-changing operations (POST, PUT, PATCH, DELETE)
 
     ## Rate Limiting
-    - General API: 300 requests per 15 minutes per IP
-    - Login: 10 failed attempts per 15 minutes per IP
-    - Webhooks: 60 requests per minute per IP
+    To protect the system from resource exhaustion, rate limiters are enforced at different levels:
+    - **General API Limiter**: Enforces a limit of **300 requests per 15 minutes** per IP across all `/api/*` endpoints. 
+      - *Exemption:* Requests starting with `/api/dashboard/cover-art` are completely exempted from this limit to avoid normal dashboard image browsing triggering blocks.
+    - **Login Rate Limiter**: Enforces a strict limit of **10 attempts per 15 minutes** per IP on `POST /api/auth/login`. 
+      - *Exemption:* This limiter only tracks and counts *failed* login attempts (`skipSuccessfulRequests: true`). Successful logins do not count towards the lockout threshold.
+    - **Webhook Limiter**: Enforces a limit of **60 requests per minute** per IP on stateful webhook receiver endpoints (`/api/webhook/*`).
+    - **Health and Readiness Probes**: The public `/health` and `/ready` endpoints are mounted at the root directory level rather than under `/api/*` and are completely exempt from both rate limiting and authentication controls.
 
     ## SSE Streaming
     Real-time updates are available via Server-Sent Events at GET /api/dashboard/stream.
-  version: 1.6.0
+  version: 1.7.28
   contact:
     name: sofarr
   license:
@@ -172,6 +176,27 @@ components:
           nullable: true
           description: Tooltip text for Ombi icon ("Request" or "Search")
           example: "Request"
+        arrLink:
+          type: string
+          nullable: true
+          format: uri
+          description: Sonarr/Radarr show/movie web UI link (admin-only)
+          example: "http://sonarr:8989/series/show-slug"
+        downloadPath:
+          type: string
+          nullable: true
+          description: Save path in download client (admin-only)
+          example: "/downloads/series/show-slug"
+        targetPath:
+          type: string
+          nullable: true
+          description: Target path in library (admin-only)
+          example: "/tv/show-slug"
+        arrInstanceKey:
+          type: string
+          nullable: true
+          description: Sonarr/Radarr instance API key (admin-only)
+          example: "api-key-here"
 
     DashboardPayload:
       type: object
@@ -791,8 +816,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Sonarr webhook
-      description: Receives webhook events from Sonarr. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Sonarr. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -828,8 +860,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Radarr webhook
-      description: Receives webhook events from Radarr. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Radarr. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -865,8 +904,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Ombi webhook
-      description: Receives webhook events from Ombi. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Ombi. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:

server/routes/dashboard.js

@@ -13,7 +13,7 @@ const { buildUserDownloads } = require('../services/DownloadBuilder');
 const { onHistoryUpdate, offHistoryUpdate } = require('../utils/historyFetcher');
 const arrRetrieverRegistry = require('../utils/arrRetrievers');
 const { getOmbiInstances, getSonarrInstances, getRadarrInstances } = require('../utils/config');
-const { extractRequestedUser, filterRequestsByUser } = require('../utils/ombiHelpers');
+const { extractRequestedUser, filterRequestsByUser, decorateRequestsWithArrLinks } = require('../utils/ombiHelpers');
 const { canBlocklist } = require('../services/DownloadAssembler');
 
 
@@ -51,17 +51,43 @@ function readCacheSnapshot() {
 function buildMetadataMaps(snapshot) {
   const seriesMap = new Map();
   for (const r of snapshot.sonarrQueue.data.records) {
-    if (r.series && r.seriesId) seriesMap.set(r.seriesId, r.series);
+    if (r.series && r.seriesId) {
+      if (!r.series._instanceUrl && r._instanceUrl) {
+        r.series._instanceUrl = r._instanceUrl;
+      }
+      seriesMap.set(r.seriesId, r.series);
+    }
   }
   for (const r of snapshot.sonarrHistory.data.records) {
-    if (r.series && r.seriesId && !seriesMap.has(r.seriesId)) seriesMap.set(r.seriesId, r.series);
+    if (r.series && r.seriesId) {
+      if (!r.series._instanceUrl && r._instanceUrl) {
+        r.series._instanceUrl = r._instanceUrl;
+      }
+      const existing = seriesMap.get(r.seriesId);
+      if (!existing || (!existing._instanceUrl && r.series._instanceUrl)) {
+        seriesMap.set(r.seriesId, r.series);
+      }
+    }
   }
   const moviesMap = new Map();
   for (const r of snapshot.radarrQueue.data.records) {
-    if (r.movie && r.movieId) moviesMap.set(r.movieId, r.movie);
+    if (r.movie && r.movieId) {
+      if (!r.movie._instanceUrl && r._instanceUrl) {
+        r.movie._instanceUrl = r._instanceUrl;
+      }
+      moviesMap.set(r.movieId, r.movie);
+    }
   }
   for (const r of snapshot.radarrHistory.data.records) {
-    if (r.movie && r.movieId && !moviesMap.has(r.movieId)) moviesMap.set(r.movieId, r.movie);
+    if (r.movie && r.movieId) {
+      if (!r.movie._instanceUrl && r._instanceUrl) {
+        r.movie._instanceUrl = r._instanceUrl;
+      }
+      const existing = moviesMap.get(r.movieId);
+      if (!existing || (!existing._instanceUrl && r.movie._instanceUrl)) {
+        moviesMap.set(r.movieId, r.movie);
+      }
+    }
   }
   const sonarrTagMap = new Map(snapshot.sonarrTagsResults.flatMap(t => t.data || []).map(t => [t.id, t.label]));
   const radarrTagMap = new Map(snapshot.radarrTags.data.map(t => [t.id, t.label]));
@@ -499,8 +525,14 @@ router.get('/stream', requireAuth, async (req, res) => {
       const showAllOmbi = showAll; // Use the same showAll flag for Ombi
 
 
-      const filteredOmbiMovieRequests = filterRequestsByUser(ombiRequests.movie || [], username, showAllOmbi);
-      const filteredOmbiTvRequests = filterRequestsByUser(ombiRequests.tv || [], username, showAllOmbi);
+      const filteredOmbiMovieRequests = filterRequestsByUser(ombiRequests.movie || [], username, showAllOmbi).map(r => ({ ...r, mediaType: 'movie' }));
+      const filteredOmbiTvRequests = filterRequestsByUser(ombiRequests.tv || [], username, showAllOmbi).map(r => ({ ...r, mediaType: 'tv' }));
+
+      // Admin only: add Sonarr/Radarr lookup links
+      if (isAdmin) {
+        const allFiltered = [...filteredOmbiMovieRequests, ...filteredOmbiTvRequests];
+        await decorateRequestsWithArrLinks(allFiltered, isAdmin);
+      }
 
       const ombiRequestsFiltered = {
         movie: filteredOmbiMovieRequests,
@@ -686,17 +718,33 @@ router.post('/blocklist-search', requireAuth, async (req, res) => {
       return res.status(400).json({ error: 'arrType must be sonarr or radarr' });
     }
 
-    // Look up the download to verify permission
-    const allDownloads = await downloadClientRegistry.getAllDownloads();
-    const download = allDownloads.find(d => d.arrQueueId === arrQueueId && d.arrType === arrType);
+    // Look up the queue record directly from the *arr cache.
+    // downloadClientRegistry.getAllDownloads() returns raw download-client data
+    // (qBittorrent, SABnzbd, etc.) which never has arrQueueId set — that field
+    // is only populated later by DownloadMatcher during the SSE build phase.
+    // Instead, we verify permission by finding the record in the Sonarr/Radarr
+    // queue cache where record.id is the numeric queue ID.
+    // Cast both sides to String to handle the DOM dataset → string vs API → number mismatch.
+    const queueCacheKey = arrType === 'sonarr' ? 'poll:sonarr-queue' : 'poll:radarr-queue';
+    const queueData = cache.get(queueCacheKey) || { records: [] };
+    const queueRecord = (queueData.records || []).find(r => r.id != null && String(r.id) === String(arrQueueId));
 
-    if (!download) {
-      console.error('[Blocklist] Download not found:', { arrQueueId, arrType });
+    if (!queueRecord) {
+      console.error('[Blocklist] Download not found in arr queue cache:', { arrQueueId, arrType });
       return res.status(403).json({ error: 'Download not found or permission denied' });
     }
 
+    // Build a minimal download-like object for canBlocklist eligibility check.
+    // Includes importIssues so non-admins can blocklist stalled/import-pending items.
+    const importIssues = require('../services/DownloadAssembler').getImportIssues(queueRecord);
+    const downloadForCheck = {
+      importIssues: importIssues || [],
+      arrQueueId: queueRecord.id,
+      arrType
+    };
+
     // Check if user can blocklist this download
-    if (!canBlocklist(download, user.isAdmin)) {
+    if (!canBlocklist(downloadForCheck, user.isAdmin)) {
       console.log('[Blocklist] Permission denied:', { user: user.name, isAdmin: user.isAdmin, arrQueueId, arrType });
       return res.status(403).json({ error: 'Permission denied: admin or qualifying conditions required' });
     }

server/routes/ombi.js

@@ -2,9 +2,9 @@
 const express = require('express');
 const { logToFile } = require('../utils/logger');
 const cache = require('../utils/cache');
-const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl } = require('../utils/config');
+const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl, getSofarrWebhookBaseUrl } = require('../utils/config');
 const requireAuth = require('../middleware/requireAuth');
-const { extractRequestedUser, filterRequestsByUser } = require('../utils/ombiHelpers');
+const { extractRequestedUser, filterRequestsByUser, decorateRequestsWithArrLinks } = require('../utils/ombiHelpers');
 const { applyRequestFilters } = require('../utils/ombiFilters');
 
 const router = express.Router();
@@ -126,6 +126,11 @@ router.get('/requests', requireAuth, async (req, res) => {
       ...filteredTvRequests.map(r => ({ ...r, mediaType: 'tv' }))
     ];
 
+    // Admin only: add Sonarr/Radarr lookup links
+    if (isAdmin) {
+      await decorateRequestsWithArrLinks(allRequests, isAdmin);
+    }
+
     // Parse query params
     let types = req.query.type;
     let statuses = req.query.status;
@@ -205,10 +210,10 @@ router.get('/requests', requireAuth, async (req, res) => {
  */
 router.post('/webhook/enable', requireAuth, async (req, res) => {
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
 
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
@@ -221,7 +226,7 @@ router.post('/webhook/enable', requireAuth, async (req, res) => {
     }
 
     const ombiInst = ombiInstances[0];
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/ombi`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/ombi?secret=${webhookSecret}`;
 
     // Call Ombi API to register webhook
     const axios = require('axios');
@@ -462,10 +467,10 @@ router.get('/webhook/status', requireAuth, async (req, res) => {
  */
 router.post('/webhook/test', requireAuth, async (req, res) => {
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
 
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
@@ -478,25 +483,71 @@ router.post('/webhook/test', requireAuth, async (req, res) => {
     }
 
     const ombiInst = ombiInstances[0];
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/ombi`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/ombi`;
 
     // Simulate a test webhook event
     const axios = require('axios');
-    await axios.post(webhookUrl, {
-      notificationType: 'RequestAvailable',
-      requestId: 0,
-      requestedUser: 'test',
-      title: 'Test Request',
-      type: 'Movie',
-      requestStatus: 'Pending'
-    }, {
-      headers: {
-        'X-Sofarr-Webhook-Secret': webhookSecret,
-        'Content-Type': 'application/json'
+    try {
+      await axios.post(webhookUrl, {
+        notificationType: 'RequestAvailable',
+        requestId: 0,
+        requestedUser: 'test',
+        title: 'Test Request',
+        type: 'Movie',
+        requestStatus: 'Pending'
+      }, {
+        headers: {
+          'X-Sofarr-Webhook-Secret': webhookSecret,
+          'Content-Type': 'application/json'
+        }
+      });
+      logToFile(`[Ombi] Test webhook sent to ${webhookUrl}`);
+    } catch (error) {
+      logToFile(`[Ombi] Public test webhook request to ${webhookUrl} failed: ${error.message}. Trying local loopback fallback.`);
+      
+      const port = process.env.PORT || 3001;
+      const tlsEnabled = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
+      
+      let useHttps = false;
+      if (tlsEnabled) {
+        const fs = require('fs');
+        const path = require('path');
+        const certsDir = path.join(__dirname, '../../certs');
+        const tlsCertPath = process.env.TLS_CERT || path.join(certsDir, 'snakeoil.crt');
+        const tlsKeyPath  = process.env.TLS_KEY  || path.join(certsDir, 'snakeoil.key');
+        try {
+          fs.readFileSync(tlsCertPath);
+          fs.readFileSync(tlsKeyPath);
+          useHttps = true;
+        } catch {
+          useHttps = false;
+        }
       }
-    });
-
-    logToFile(`[Ombi] Test webhook sent to ${webhookUrl}`);
+      
+      const localUrl = `${useHttps ? 'https' : 'http'}://127.0.0.1:${port}/api/webhook/ombi`;
+      
+      const https = require('https');
+      const agent = new https.Agent({
+        rejectUnauthorized: false
+      });
+      
+      await axios.post(localUrl, {
+        notificationType: 'RequestAvailable',
+        requestId: 0,
+        requestedUser: 'test',
+        title: 'Test Request',
+        type: 'Movie',
+        requestStatus: 'Pending'
+      }, {
+        headers: {
+          'X-Sofarr-Webhook-Secret': webhookSecret,
+          'Content-Type': 'application/json'
+        },
+        httpsAgent: useHttps ? agent : undefined
+      });
+      
+      logToFile(`[Ombi] Test webhook sent via local loopback to ${localUrl}`);
+    }
 
     res.json({ success: true });
   } catch (error) {

server/routes/radarr.js

@@ -4,7 +4,7 @@ const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
-const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances } = require('../utils/config');
+const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances, getSofarrWebhookBaseUrl } = require('../utils/config');
 
 // Helper to get first Radarr instance (for notification proxy routes)
 function getFirstRadarrInstance() {
@@ -286,17 +286,17 @@ router.post('/notifications/sofarr-webhook', async (req, res) => {
     return res.status(503).json({ error: 'Radarr not configured' });
   }
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
-
-    if (!sofarrBaseUrl) {
+ 
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
       return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
     }
-
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/radarr`;
+ 
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/radarr`;
 
     // Check if Sofarr webhook already exists
     const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {

server/routes/sonarr.js

@@ -4,7 +4,7 @@ const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
-const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances } = require('../utils/config');
+const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances, getSofarrWebhookBaseUrl } = require('../utils/config');
 
 // Helper to get first Sonarr instance (for notification proxy routes)
 function getFirstSonarrInstance() {
@@ -286,17 +286,17 @@ router.post('/notifications/sofarr-webhook', async (req, res) => {
     return res.status(503).json({ error: 'Sonarr not configured' });
   }
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
-
-    if (!sofarrBaseUrl) {
+ 
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
       return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
     }
-
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/sonarr`;
+ 
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/sonarr`;
 
     // Check if Sofarr webhook already exists
     const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {

server/routes/webhook.js

@@ -144,13 +144,13 @@ const OMBI_EVENTS = new Set([
 ]);
 
 /**
- * Validate webhook secret from the X-Sofarr-Webhook-Secret header
+ * Validate webhook secret from the X-Sofarr-Webhook-Secret header or secret query parameter
  * @param {Object} req - Express request object
  * @returns {boolean} True if secret is valid, false otherwise
  */
 function validateWebhookSecret(req) {
   const expectedSecret = getWebhookSecret();
-  const providedSecret = req.get('X-Sofarr-Webhook-Secret');
+  const providedSecret = req.get('X-Sofarr-Webhook-Secret') || req.query.secret;
 
   if (!expectedSecret) {
     logToFile('[Webhook] WARNING: SOFARR_WEBHOOK_SECRET not configured, rejecting webhook');
@@ -158,7 +158,7 @@ function validateWebhookSecret(req) {
   }
 
   if (!providedSecret) {
-    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header');
+    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header or secret query parameter');
     return false;
   }
 
@@ -180,7 +180,7 @@ function validateWebhookSecret(req) {
  * @param {string} serviceType - 'sonarr', 'radarr', or 'ombi'
  * @param {string} eventType   - the eventType from the webhook payload
  */
-async function processWebhookEvent(serviceType, eventType) {
+async function processWebhookEvent(serviceType, eventType, payload = null) {
   const affectsQueue = QUEUE_EVENTS.has(eventType);
   const affectsHistory = HISTORY_EVENTS.has(eventType);
   const affectsOmbi = OMBI_EVENTS.has(eventType);
@@ -259,9 +259,66 @@ async function processWebhookEvent(serviceType, eventType) {
     const ombiInstances = getOmbiInstances();
 
     if (affectsOmbi) {
-      // Add a 2000ms delay to resolve the race condition where Ombi fires the webhook before committing to DB
-      await new Promise(r => setTimeout(r, 2000));
-      const ombiRequests = await arrRetrieverRegistry.getOmbiRequests(true);
+      const delayMs = parseInt(process.env.OMBI_WEBHOOK_REFRESH_DELAY_MS, 10);
+      const initialDelay = !isNaN(delayMs) ? delayMs : 2000;
+      logToFile(`[Webhook] Waiting initial delay of ${initialDelay}ms for Ombi webhook synchronization...`);
+      await new Promise(r => setTimeout(r, initialDelay));
+
+      const requestId = payload ? (payload.requestId || payload.RequestId || payload.id || payload.Id) : null;
+      const mediaType = payload ? (payload.type || payload.Type || '').toLowerCase() : null;
+
+      let ombiRequests = { movie: [], tv: [] };
+      let foundAndValid = false;
+      const maxRetries = 3;
+      const retryDelayMs = 1500;
+
+      for (let attempt = 1; attempt <= maxRetries; attempt++) {
+        if (attempt > 1) {
+          logToFile(`[Webhook] Ombi request not found or missing user (attempt ${attempt-1}/${maxRetries}), retrying in ${retryDelayMs}ms...`);
+          await new Promise(r => setTimeout(r, retryDelayMs));
+        }
+
+        ombiRequests = await arrRetrieverRegistry.getOmbiRequests(true);
+
+        if (!requestId) {
+          // If no requestId was provided in payload, we can't search specifically, so just accept the fetch
+          foundAndValid = true;
+          break;
+        }
+
+        // Search in movie or tv lists
+        const targetList = (mediaType === 'tv' || mediaType === 'series') ? (ombiRequests.tv || []) : (ombiRequests.movie || []);
+        // Also check both if mediaType not specified
+        const searchList = mediaType ? targetList : [...(ombiRequests.movie || []), ...(ombiRequests.tv || [])];
+
+        const targetReq = searchList.find(r => r && (r.id === requestId || r.Id === requestId));
+        if (targetReq) {
+          const user = extractRequestedUser(targetReq);
+          if (user) {
+            logToFile(`[Webhook] Verified request ${requestId} has valid user "${user}" on attempt ${attempt}`);
+            foundAndValid = true;
+            break;
+          } else {
+            logToFile(`[Webhook] Found request ${requestId} on attempt ${attempt}, but user extraction was empty.`);
+          }
+        } else {
+          logToFile(`[Webhook] Request ${requestId} not found in retrieved list on attempt ${attempt}.`);
+        }
+      }
+
+      if (!foundAndValid && requestId) {
+        logToFile(`[Webhook] WARNING: Could not verify request ${requestId} with valid user info after ${maxRetries} retries.`);
+        // Try to log the raw target request if we found one
+        ombiRequests = await arrRetrieverRegistry.getOmbiRequests(true);
+        const searchList = [...(ombiRequests.movie || []), ...(ombiRequests.tv || [])];
+        const targetReq = searchList.find(r => r && (r.id === requestId || r.Id === requestId));
+        if (targetReq) {
+          logToFile(`[Webhook] Raw request object where extraction failed: ${JSON.stringify(targetReq)}`);
+        } else {
+          logToFile(`[Webhook] Request ${requestId} was completely absent from Ombi requests list.`);
+        }
+      }
+
       cache.set('poll:ombi-requests', ombiRequests, CACHE_TTL);
       logToFile(`[Webhook] Refreshed poll:ombi-requests (${ombiRequests.movie?.length || 0} movies, ${ombiRequests.tv?.length || 0} TV shows)`);
     }
@@ -309,13 +366,13 @@ function validatePayload(body) {
  *       Receives webhook events from Sonarr instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Sonarr, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with eventType, instanceName, date)
  *       - Event type must be in allowlist (Test, Grab, Download, DownloadFailed, etc.)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -342,6 +399,13 @@ function validatePayload(body) {
  *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Events: onGrab, onDownload, onUpgrade, onImport
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -456,13 +520,13 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
  *       Receives webhook events from Radarr instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Radarr, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with eventType, instanceName, date)
  *       - Event type must be in allowlist (Test, Grab, Download, DownloadFailed, etc.)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -489,6 +553,13 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
  *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Events: onGrab, onDownload, onUpgrade, onImport
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -603,13 +674,13 @@ router.post('/radarr', webhookLimiter, (req, res) => {
  *       Receives webhook events from Ombi instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Ombi, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with notificationType, requestId)
  *       - Event type must be in allowlist (RequestAvailable, RequestApproved, RequestDeclined, RequestPending, RequestProcessing)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -627,11 +698,17 @@ router.post('/radarr', webhookLimiter, (req, res) => {
  *       6. Background: fetch fresh data from Ombi, update cache, broadcast SSE
  *
  *       **x-integration-notes:** Configure Ombi webhook:
- *       - URL: `{SOFARR_BASE_URL}/api/webhook/ombi`
+ *       - URL: `{SOFARR_BASE_URL}/api/webhook/ombi?secret={SOFARR_WEBHOOK_SECRET}`
  *       - Method: POST
- *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Application Token: OMBI_API_KEY
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -757,7 +834,7 @@ router.post('/ombi', webhookLimiter, (req, res) => {
     }
 
     // Background cache refresh + SSE broadcast (fire-and-forget)
-    processWebhookEvent('ombi', eventType).catch(err => {
+    processWebhookEvent('ombi', eventType, req.body).catch(err => {
       logToFile(`[Webhook] Ombi background refresh error: ${err.message}`);
     });
 

server/services/DownloadMatcher.js

@@ -215,6 +215,9 @@ async function matchSabSlots(slots, context) {
           if (isAdmin) {
             dlObj.downloadPath = slot.storage || null;
             dlObj.targetPath = series.path || null;
+            if (series && !series._instanceUrl && sonarrMatch._instanceUrl) {
+              series._instanceUrl = sonarrMatch._instanceUrl;
+            }
             dlObj.arrLink = DownloadAssembler.getSonarrLink(series);
             dlObj.arrInstanceKey = sonarrMatch._instanceKey || null;
           }
@@ -269,6 +272,9 @@ async function matchSabSlots(slots, context) {
           if (isAdmin) {
             dlObj.downloadPath = slot.storage || null;
             dlObj.targetPath = movie.path || null;
+            if (movie && !movie._instanceUrl && radarrMatch._instanceUrl) {
+              movie._instanceUrl = radarrMatch._instanceUrl;
+            }
             dlObj.arrLink = DownloadAssembler.getRadarrLink(movie);
             dlObj.arrInstanceKey = radarrMatch._instanceKey || null;
           }
@@ -459,6 +465,9 @@ async function matchTorrents(torrents, context) {
           if (isAdmin) {
             download.downloadPath = download.savePath || null;
             download.targetPath = series.path || null;
+            if (series && !series._instanceUrl && sonarrMatch._instanceUrl) {
+              series._instanceUrl = sonarrMatch._instanceUrl;
+            }
             download.arrLink = DownloadAssembler.getSonarrLink(series);
             download.arrInstanceKey = sonarrMatch._instanceKey || null;
           }
@@ -505,6 +514,9 @@ async function matchTorrents(torrents, context) {
           if (isAdmin) {
             download.downloadPath = download.savePath || null;
             download.targetPath = movie.path || null;
+            if (movie && !movie._instanceUrl && radarrMatch._instanceUrl) {
+              movie._instanceUrl = radarrMatch._instanceUrl;
+            }
             download.arrLink = DownloadAssembler.getRadarrLink(movie);
             download.arrInstanceKey = radarrMatch._instanceKey || null;
           }

server/utils/config.js

@@ -130,6 +130,10 @@ function getSofarrBaseUrl() {
   return process.env.SOFARR_BASE_URL || '';
 }
 
+function getSofarrWebhookBaseUrl() {
+  return process.env.SOFARR_WEBHOOK_BASE_URL || process.env.SOFARR_BASE_URL || '';
+}
+
 module.exports = {
   getSABnzbdInstances,
   getSonarrInstances,
@@ -140,6 +144,7 @@ module.exports = {
   getRtorrentInstances,
   getWebhookSecret,
   getSofarrBaseUrl,
+  getSofarrWebhookBaseUrl,
   parseInstances,
   validateInstanceUrl
 };

server/utils/ombiFilters.js

@@ -17,6 +17,23 @@ function getRequestStatus(request) {
   if (request.denied) return 'denied';
   if (request.approved) return 'approved';
   if (request.requested) return 'pending';
+
+  // Ombi TV requests store status flags inside childRequests
+  if (Array.isArray(request.childRequests) && request.childRequests.length > 0) {
+    for (const child of request.childRequests) {
+      if (child && child.available) return 'available';
+    }
+    for (const child of request.childRequests) {
+      if (child && child.denied) return 'denied';
+    }
+    for (const child of request.childRequests) {
+      if (child && child.approved) return 'approved';
+    }
+    for (const child of request.childRequests) {
+      if (child && child.requested) return 'pending';
+    }
+  }
+
   return 'unknown';
 }
 

server/utils/ombiHelpers.js

@@ -5,6 +5,8 @@
  * not a string, so we need to extract the username from the object.
  */
 
+const { logToFile } = require('./logger');
+
 /**
  * Extracts the username from an Ombi request object.
  * Handles both the OmbiUser object format and legacy string format.
@@ -15,19 +17,57 @@
 function extractRequestedUser(request) {
   if (!request) return '';
   
-  const requestedUser = request.requestedUser || request.RequestedUser;
-  
-  // Handle object format: OmbiStore.Entities.OmbiUser
-  if (requestedUser && typeof requestedUser === 'object') {
-    // Priority: alias > userAlias > userName > normalizedUserName > requestedByAlias
-    return requestedUser.alias || requestedUser.Alias ||
-           requestedUser.userAlias || requestedUser.UserAlias ||
-           requestedUser.userName || requestedUser.UserName ||
-           requestedUser.normalizedUserName || requestedUser.NormalizedUserName ||
-           request.requestedByAlias || request.RequestedByAlias || '';
+  // Try to locate a user object or string from various fields common to Ombi Movies and TV shows
+  const userSource = request.requestedUser || request.RequestedUser ||
+                     request.user || request.User ||
+                     request.requestedBy || request.RequestedBy ||
+                     request.ombiUser || request.OmbiUser ||
+                     request.requestedByUser || request.RequestedByUser;
+
+  // If userSource is an object, extract key fields
+  if (userSource && typeof userSource === 'object') {
+    const username = userSource.alias || userSource.Alias ||
+                     userSource.userAlias || userSource.UserAlias ||
+                     userSource.userName || userSource.UserName ||
+                     userSource.normalizedUserName || userSource.NormalizedUserName ||
+                     userSource.displayName || userSource.DisplayName ||
+                     userSource.email || userSource.Email;
+    if (username) return username;
   }
-  // Handle string format (fallback for compatibility)
-  return requestedUser || request.requestedByAlias || request.RequestedByAlias || '';
+
+  // If userSource is a string and not an empty object/array
+  if (userSource && typeof userSource === 'string') {
+    return userSource;
+  }
+
+  // Fallbacks on the request root level
+  const rootFallback = request.requestedByAlias || request.RequestedByAlias ||
+                       request.requestedByUsername || request.RequestedByUsername ||
+                       request.requester || request.Requester ||
+                       request.requestedByEmail || request.RequestedByEmail;
+  if (rootFallback) return rootFallback;
+
+  // Check seasons / childRequests nested arrays (common for Ombi TV show requests)
+  if (Array.isArray(request.seasons)) {
+    for (const season of request.seasons) {
+      const seasonUser = extractRequestedUser(season);
+      if (seasonUser) return seasonUser;
+    }
+  }
+  
+  if (Array.isArray(request.childRequests)) {
+    for (const child of request.childRequests) {
+      const childUser = extractRequestedUser(child);
+      if (childUser) return childUser;
+    }
+  }
+
+  // Add warning log when user extraction returns empty for non-empty requests
+  if (Object.keys(request).length > 0 && !request.notificationType) {
+    logToFile(`[Ombi] WARNING: User extraction failed for request: ${JSON.stringify(request)}`);
+  }
+
+  return '';
 }
 
 function filterRequestsByUser(requests, username, showAll) {
@@ -40,7 +80,73 @@ function filterRequestsByUser(requests, username, showAll) {
   });
 }
 
+async function decorateRequestsWithArrLinks(requests, isAdmin) {
+  if (!isAdmin || !Array.isArray(requests)) return;
+
+  const arrRetrieverRegistry = require('./arrRetrievers');
+  await arrRetrieverRegistry.initialize();
+
+  const sonarrRetrievers = arrRetrieverRegistry.getRetrieversByType('sonarr') || [];
+  const radarrRetrievers = arrRetrieverRegistry.getRetrieversByType('radarr') || [];
+
+  const [sonarrData, radarrData] = await Promise.all([
+    Promise.all(sonarrRetrievers.map(async r => {
+      try {
+        const response = await require('axios').get(`${r.url}/api/v3/series`, {
+          headers: { 'X-Api-Key': r.apiKey }
+        });
+        return { instance: r, series: response.data || [] };
+      } catch {
+        return { instance: r, series: [] };
+      }
+    })),
+    Promise.all(radarrRetrievers.map(async r => {
+      try {
+        const response = await require('axios').get(`${r.url}/api/v3/movie`, {
+          headers: { 'X-Api-Key': r.apiKey }
+        });
+        return { instance: r, movies: response.data || [] };
+      } catch {
+        return { instance: r, movies: [] };
+      }
+    }))
+  ]);
+
+  requests.forEach(req => {
+    // Determine if it's TV or Movie. Often `mediaType` is set, or `type === 'Tv'`
+    // Fallback to checking for TV specific IDs.
+    const isTv = req.mediaType === 'tv' || req.type === 'Tv' || req.tvDbId || req.tvdbId || req.theTvDbId || req.theTvdbId || req.TvDbId || req.TheTvDbId;
+
+    if (isTv) {
+      const tvdbId = req.theTvDbId || req.theTvdbId || req.tvDbId || req.tvdbId || req.TvDbId || req.TheTvDbId || req.theMovieDbId || req.theTmdbId;
+      if (!tvdbId) return;
+
+      for (const instData of sonarrData) {
+        const match = instData.series.find(s => s && (s.tvdbId === parseInt(tvdbId, 10) || s.tmdbId === parseInt(tvdbId, 10)));
+        if (match && match.titleSlug) {
+          req.arrLink = `${instData.instance.url}/series/${match.titleSlug}`;
+          req.arrType = 'sonarr';
+          break;
+        }
+      }
+    } else {
+      const tmdbId = req.theMovieDbId || req.imdbId || req.theTmdbId || req.TheMovieDbId || req.ImdbId;
+      if (!tmdbId) return;
+
+      for (const instData of radarrData) {
+        const match = instData.movies.find(m => m && (m.tmdbId === parseInt(tmdbId, 10) || m.imdbId === tmdbId));
+        if (match && match.titleSlug) {
+          req.arrLink = `${instData.instance.url}/movie/${match.titleSlug}`;
+          req.arrType = 'radarr';
+          break;
+        }
+      }
+    }
+  });
+}
+
 module.exports = {
   extractRequestedUser,
-  filterRequestsByUser
+  filterRequestsByUser,
+  decorateRequestsWithArrLinks
 };

server/utils/poller.js

@@ -8,6 +8,7 @@ const {
   getRadarrInstances,
   getOmbiInstances
 } = require('./config');
+const { logToFile } = require('./logger');
 
 const rawPollInterval = (process.env.POLL_INTERVAL || '').toLowerCase();
 const POLL_INTERVAL = (rawPollInterval === 'off' || rawPollInterval === 'false' || rawPollInterval === 'disabled')

tests/frontend/ui/requests.test.js

@@ -0,0 +1,178 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/ui/requests.js
+ *
+ * Verifies requests dashboard rendering, tooltips, dates, and deep links.
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { renderRequests } from '../../../client/src/ui/requests.js';
+import { state } from '../../../client/src/state.js';
+
+vi.mock('../../../client/src/state.js', () => {
+  return {
+    state: {
+      ombiRequests: { movie: [], tv: [] },
+      selectedRequestTypes: ['movie', 'tv'],
+      selectedRequestStatuses: ['pending', 'approved', 'available', 'denied'],
+      requestSortMode: 'requestedDate_desc',
+      requestSearchQuery: '',
+      ombiBaseUrl: 'https://ombi.test',
+      isAdmin: false
+    }
+  };
+});
+
+describe('requests rendering', () => {
+  let requestsList, noRequests;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    
+    document.body.innerHTML = `
+      <div id="requests-list"></div>
+      <div id="no-requests" style="display: none;"><p></p></div>
+    `;
+    
+    requestsList = document.getElementById('requests-list');
+    noRequests = document.getElementById('no-requests');
+    
+    state.ombiRequests = { movie: [], tv: [] };
+    state.isAdmin = false;
+    state.ombiBaseUrl = 'https://ombi.test';
+  });
+
+  it('renders "No requests found." when request arrays are empty', () => {
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(0);
+    expect(noRequests.style.display).toBe('block');
+    expect(noRequests.querySelector('p').textContent).toBe('No requests found.');
+  });
+
+  it('renders request card with correctly formatted date, media type, and requester', () => {
+    state.ombiRequests = {
+      movie: [
+        {
+          id: 101,
+          title: 'Movie Test',
+          year: '2026',
+          requestedUser: { alias: 'john_doe' },
+          requestedDate: '2026-05-27T10:15:30.000Z',
+          quality: '1080p',
+          theMovieDbId: 555,
+          requested: true
+        }
+      ],
+      tv: []
+    };
+    
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(1);
+    const card = requestsList.childNodes[0];
+    expect(card.querySelector('.request-title').textContent).toBe('Movie Test');
+    expect(card.querySelector('.request-year').textContent).toBe('2026');
+    expect(card.querySelector('.request-user').textContent).toBe('Requested by: john_doe');
+    
+    // Check formatted date
+    const dateEl = card.querySelector('.request-date');
+    expect(dateEl).toBeTruthy();
+    expect(dateEl.textContent).toContain('Date: 2026-05-27');
+    
+    // Check view in Ombi link
+    const ombiLink = card.querySelector('.ombi-link');
+    expect(ombiLink).toBeTruthy();
+    expect(ombiLink.href).toBe('https://ombi.test/details/movie/555');
+  });
+
+  it('renders "Unknown (Ombi)" with tooltip when requester is missing', () => {
+    state.ombiRequests = {
+      movie: [],
+      tv: [
+        {
+          id: 201,
+          title: 'TV Test No User',
+          requestedDate: '2026-05-27T12:00:00.000Z',
+          requested: true
+        }
+      ]
+    };
+    
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(1);
+    const card = requestsList.childNodes[0];
+    const userEl = card.querySelector('.request-user');
+    expect(userEl).toBeTruthy();
+    expect(userEl.textContent).toBe('Requested by: Unknown (Ombi)');
+    expect(userEl.title).toBe('No user information received from Ombi');
+    expect(userEl.style.textDecoration).toBe('underline dotted');
+  });
+
+  it('does NOT render Sonarr/Radarr deep links for non-admin users', () => {
+    state.isAdmin = false;
+    state.ombiRequests = {
+      movie: [
+        {
+          id: 101,
+          title: 'Movie Test',
+          theMovieDbId: 555,
+          arrLink: 'http://radarr:7878/movie/slug',
+          arrType: 'radarr',
+          requested: true
+        }
+      ],
+      tv: []
+    };
+    
+    renderRequests();
+    
+    const card = requestsList.childNodes[0];
+    expect(card.querySelector('.radarr-link')).toBeNull();
+  });
+
+  it('renders Sonarr/Radarr deep links next to Ombi link for administrators', () => {
+    state.isAdmin = true;
+    state.ombiRequests = {
+      movie: [
+        {
+          id: 101,
+          title: 'Movie Test',
+          theMovieDbId: 555,
+          arrLink: 'http://radarr:7878/movie/slug',
+          arrType: 'radarr',
+          requested: true
+        }
+      ],
+      tv: [
+        {
+          id: 202,
+          title: 'TV Show Test',
+          theMovieDbId: 666,
+          arrLink: 'http://sonarr:8989/series/slug',
+          arrType: 'sonarr',
+          requested: true
+        }
+      ]
+    };
+    
+    renderRequests();
+    
+    expect(requestsList.childNodes.length).toBe(2);
+    
+    // Check Radarr link
+    const movieCard = requestsList.childNodes[0];
+    const radarrLink = movieCard.querySelector('.radarr-link');
+    expect(radarrLink).toBeTruthy();
+    expect(radarrLink.href).toBe('http://radarr:7878/movie/slug');
+    expect(radarrLink.title).toBe('View in Radarr');
+    
+    // Check Sonarr link
+    const tvCard = requestsList.childNodes[1];
+    const sonarrLink = tvCard.querySelector('.sonarr-link');
+    expect(sonarrLink).toBeTruthy();
+    expect(sonarrLink.href).toBe('http://sonarr:8989/series/slug');
+    expect(sonarrLink.title).toBe('View in Sonarr');
+  });
+});

tests/frontend/ui/theme.test.js

@@ -0,0 +1,94 @@
+// Copyright (c) 2026 Gordon Bolton. MIT License.
+/**
+ * @vitest-environment jsdom
+ * Tests for client/src/ui/theme.js
+ *
+ * Verifies DOM actions for theme switcher button clicks, attributes, and storage calls.
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { initThemeSwitcher, setTheme } from '../../../client/src/ui/theme.js';
+import * as storage from '../../../client/src/utils/storage.js';
+
+vi.mock('../../../client/src/utils/storage.js', () => {
+  let store = {};
+  return {
+    getTheme: vi.fn(() => store.theme || 'light'),
+    saveTheme: vi.fn((theme) => { store.theme = theme; })
+  };
+});
+
+describe('theme switcher', () => {
+  let lightBtn, darkBtn, monoBtn;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    document.documentElement.removeAttribute('data-theme');
+    
+    // Create mock theme buttons
+    document.body.innerHTML = `
+      <div class="theme-switcher">
+        <button class="theme-btn" data-theme="light">Light</button>
+        <button class="theme-btn" data-theme="dark">Dark</button>
+        <button class="theme-btn" data-theme="mono">Mono</button>
+      </div>
+    `;
+    
+    lightBtn = document.querySelector('[data-theme="light"]');
+    darkBtn = document.querySelector('[data-theme="dark"]');
+    monoBtn = document.querySelector('[data-theme="mono"]');
+  });
+
+  it('initThemeSwitcher sets active class based on saved theme on load', () => {
+    vi.spyOn(storage, 'getTheme').mockReturnValue('dark');
+    
+    initThemeSwitcher();
+    
+    expect(storage.getTheme).toHaveBeenCalled();
+    expect(darkBtn.classList.contains('active')).toBe(true);
+    expect(lightBtn.classList.contains('active')).toBe(false);
+    expect(monoBtn.classList.contains('active')).toBe(false);
+  });
+
+  it('initThemeSwitcher defaults to light theme if no theme is saved', () => {
+    vi.spyOn(storage, 'getTheme').mockReturnValue(null);
+    
+    initThemeSwitcher();
+    
+    expect(lightBtn.classList.contains('active')).toBe(true);
+    expect(darkBtn.classList.contains('active')).toBe(false);
+  });
+
+  it('clicking theme button switches the document theme and persists choice', () => {
+    initThemeSwitcher();
+    
+    // Initial active button should be light
+    expect(lightBtn.classList.contains('active')).toBe(true);
+    
+    // Click Dark
+    darkBtn.click();
+    
+    expect(document.documentElement.getAttribute('data-theme')).toBe('dark');
+    expect(storage.saveTheme).toHaveBeenCalledWith('dark');
+    expect(darkBtn.classList.contains('active')).toBe(true);
+    expect(lightBtn.classList.contains('active')).toBe(false);
+    
+    // Click Mono
+    monoBtn.click();
+    
+    expect(document.documentElement.getAttribute('data-theme')).toBe('mono');
+    expect(storage.saveTheme).toHaveBeenCalledWith('mono');
+    expect(monoBtn.classList.contains('active')).toBe(true);
+    expect(darkBtn.classList.contains('active')).toBe(false);
+  });
+
+  it('setTheme directly sets document attribute and updates button classes if present', () => {
+    initThemeSwitcher(); // binds buttons
+    
+    setTheme('mono');
+    
+    expect(document.documentElement.getAttribute('data-theme')).toBe('mono');
+    expect(storage.saveTheme).toHaveBeenCalledWith('mono');
+    expect(monoBtn.classList.contains('active')).toBe(true);
+    expect(lightBtn.classList.contains('active')).toBe(false);
+  });
+});

tests/integration/dashboard.test.js

@@ -225,7 +225,7 @@ function invalidatePollCache() {
     'poll:sab-queue', 'poll:sab-history',
     'poll:sonarr-queue', 'poll:sonarr-history', 'poll:sonarr-tags',
     'poll:radarr-queue', 'poll:radarr-history', 'poll:radarr-tags',
-    'poll:qbittorrent'
+    'poll:qbittorrent', 'poll:ombi-requests'
   ];
   for (const k of keys) cache.invalidate(k);
 }
@@ -349,6 +349,7 @@ describe('GET /api/dashboard/user-downloads', () => {
       expect(dl.arrQueueId).toBe(1002);
       expect(dl.arrType).toBe('sonarr');
       expect(dl.arrInstanceUrl).toBe(SONARR_BASE);
+      expect(dl.arrLink).toBe(SONARR_BASE + '/series/admin-show');
       expect(dl.downloadPath).toBeDefined();
     });
 
@@ -749,12 +750,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
-    
-    // Mock getAllDownloads to return a download that doesn't qualify for blocklist
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+
+    // Seed cache: queue record exists but has no import issues (non-admin cannot blocklist)
+    cache.set('poll:sonarr-queue', { records: [{
+      id: 1,
+      title: 'My.Show.S01E01.720p',
+      trackedDownloadState: 'downloading',
+      trackedDownloadStatus: 'ok'
+    }] }, CACHE_TTL);
 
     const res = await request(app)
       .post('/api/dashboard/blocklist-search')
@@ -763,18 +766,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'key', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(403);
     expect(res.body.error).toMatch(/permission denied/i);
-    mockGetAllDownloads.mockRestore();
   });
 
-  it('returns 403 for non-admin when download not found in active downloads', async () => {
+  it('returns 403 for non-admin when download not found in arr queue cache', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
-    
-    // Mock getAllDownloads to return empty array (download not found)
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([]);
 
+    // Cache is already seeded empty by beforeEach; no queue record with id=1 exists
     const res = await request(app)
       .post('/api/dashboard/blocklist-search')
       .set('Cookie', [...cookies, csrfCookie].join('; '))
@@ -782,19 +781,21 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(403);
     expect(res.body.error).toMatch(/download not found/i);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 200 for non-admin with import issues (qualifying condition)', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
-    
-    // Mock getAllDownloads to return a download with import issues (qualifies for blocklist)
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1, arrType: 'sonarr', importIssues: ['Import error 1'], qbittorrent: null }
-    ]);
+
+    // Seed cache: queue record with import issues — qualifies non-admin for blocklist
+    cache.set('poll:sonarr-queue', { records: [{
+      id: 1,
+      title: 'My.Show.S01E01.720p',
+      trackedDownloadState: 'importPending',
+      trackedDownloadStatus: 'warning',
+      statusMessages: [{ messages: ['Import error 1'] }]
+    }] }, CACHE_TTL);
 
     // Mock Sonarr DELETE and command endpoints
     nock(SONARR_BASE)
@@ -812,7 +813,6 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 400 when required fields are missing', async () => {
@@ -843,11 +843,8 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -864,18 +861,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('calls Radarr DELETE+command and returns ok:true', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 2001, arrType: 'radarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Radarr queue cache so the permission lookup finds the record
+    cache.set('poll:radarr-queue', { records: [RADARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(RADARR_BASE)
       .delete('/api/v3/queue/2001')
@@ -892,18 +885,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 2001, arrType: 'radarr', arrInstanceUrl: RADARR_BASE, arrInstanceKey: 'rk', arrContentId: 99, arrContentType: 'movie' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 502 when Sonarr DELETE request fails', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -916,17 +905,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .set('X-CSRF-Token', csrf)
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(502);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 200 OK when arrContentId is null but arrSeriesId is present (fallback SeriesSearch)', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -943,17 +929,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrSeriesId: 42, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('triggers EpisodeSearch with multiple episode IDs when arrContentIds is provided', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
+    // Seed the Sonarr queue cache so the permission lookup finds the record
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -970,7 +953,42 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentIds: [12, 13, 14], arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
+  });
+
+  it('matches download correctly when arrQueueId is sent as a string but stored as a number in queue cache (type mismatch regression)', async () => {
+    // Regression test for issue #48 (v2): arrQueueId from the SPA DOM dataset is always
+    // a string, but the queue record id from the Radarr/Sonarr API cache is a number.
+    // Without String() casting the === comparison fails and returns 403.
+    const app = createApp({ skipRateLimits: true });
+    const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
+
+    // Seed Radarr queue with a numeric id (as Radarr API returns it)
+    cache.set('poll:radarr-queue', { records: [{
+      id: 9050001,
+      title: 'Project.Hail.Mary.2026.2160p',
+      movieId: 77,
+      trackedDownloadState: 'downloading',
+      trackedDownloadStatus: 'ok',
+      _instanceUrl: RADARR_BASE,
+      _instanceKey: 'rk'
+    }] }, CACHE_TTL);
+
+    nock(RADARR_BASE)
+      .delete('/api/v3/queue/9050001')
+      .query({ removeFromClient: 'true', blocklist: 'true' })
+      .reply(200, {});
+    nock(RADARR_BASE)
+      .post('/api/v3/command')
+      .reply(200, {});
+
+    const res = await request(app)
+      .post('/api/dashboard/blocklist-search')
+      .set('Cookie', [...cookies, csrfCookie].join('; '))
+      .set('X-CSRF-Token', csrf)
+      // arrQueueId sent as a STRING from the client (as the SPA DOM dataset does)
+      .send({ arrQueueId: '9050001', arrType: 'radarr', arrInstanceUrl: RADARR_BASE, arrInstanceKey: 'rk', arrContentId: 77, arrContentType: 'movie' });
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
   });
 });
 

tests/integration/ombi.test.js

@@ -233,6 +233,48 @@ describe('GET /api/ombi/requests', () => {
     expect(res.body.requests.movie[0].requestedUser.userName).toBe('adminuser');
   });
 
+  it('decorates TV requests with Sonarr links using tvDbId camelCase property (Issue #58)', async () => {
+    // 1. Setup mock instance config
+    process.env.SONARR_INSTANCES = JSON.stringify([
+      { id: 'sonarr-1', name: 'Test Sonarr', url: 'https://sonarr.test', apiKey: 'sonarr-key' }
+    ]);
+    
+    // Reset and re-initialize retrievers registry to pick up the Sonarr instance
+    arrRetrieverRegistry.retrievers.clear();
+    arrRetrieverRegistry.initialized = false;
+    
+    // 2. Setup mock Ombi TV request carrying `tvDbId` instead of `theTvDbId`
+    const tvRequestsWithTvDbId = [
+      { id: 4, title: 'Superman Show', requestedUser: { userName: 'adminuser' }, requestedByAlias: 'adminuser', type: 'tv', tvDbId: '101' }
+    ];
+    
+    nock.cleanAll();
+    setupOmbiRequestMocks(OMBI_REQUESTS.movie, tvRequestsWithTvDbId);
+    
+    // 3. Mock Sonarr API series call returning the series with matching tvdbId and titleSlug
+    nock('https://sonarr.test')
+      .get('/api/v3/series')
+      .reply(200, [
+        { tvdbId: 101, title: 'Superman Show', titleSlug: 'superman-show' }
+      ]);
+      
+    const { cookies } = await authenticateUser(app, 'AdminUser', true);
+    
+    const res = await request(app)
+      .get('/api/ombi/requests?showAll=true')
+      .set('Cookie', cookies)
+      .expect(200);
+      
+    // 4. Assert decoration succeeded
+    const supermanShow = res.body.requests.tv.find(r => r.id === 4);
+    expect(supermanShow).toBeDefined();
+    expect(supermanShow.arrLink).toBe('https://sonarr.test/series/superman-show');
+    expect(supermanShow.arrType).toBe('sonarr');
+    
+    // Clean up
+    delete process.env.SONARR_INSTANCES;
+  });
+
   it('handles case-insensitive username matching', async () => {
     const requestsWithMixedCase = [
       { id: 1, title: 'Test Movie', requestedUser: { userName: 'TestUser' }, requestedByAlias: 'TestUser', type: 'movie' },
@@ -856,7 +898,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .post('/api/v1/Settings/notifications/webhook', {
         id: 42,
         enabled: true,
-        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi`,
+        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`,
         applicationToken: 'test-ombi-key'
       })
       .reply(200, { success: true });
@@ -870,7 +912,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .expect(200);
     
     expect(res.body.success).toBe(true);
-    expect(res.body.webhookUrl).toBe(`${SOFARR_BASE}/api/webhook/ombi`);
+    expect(res.body.webhookUrl).toBe(`${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`);
     expect(res.body.applicationToken).toBe('test-ombi-key');
   });
 
@@ -882,7 +924,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .post('/api/v1/Settings/notifications/webhook', {
         id: 0,
         enabled: true,
-        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi`,
+        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`,
         applicationToken: 'test-ombi-key'
       })
       .reply(200, { success: true });
@@ -1014,10 +1056,16 @@ describe('POST /api/ombi/webhook/test', () => {
     expect(webhookScope.isDone()).toBe(true);
   });
 
-  it('handles webhook send errors gracefully', async () => {
+  it('handles webhook send errors gracefully when both public and loopback fail', async () => {
     nock(SOFARR_BASE)
       .post('/api/webhook/ombi')
       .reply(500, { error: 'Internal server error' });
+    nock('http://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(500, { error: 'Internal server error' });
+    nock('https://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(500, { error: 'Internal server error' });
     
     const { cookies, csrfToken } = await authenticateUser(app, 'TestUser', false);
     
@@ -1029,4 +1077,26 @@ describe('POST /api/ombi/webhook/test', () => {
     
     expect(res.body.error).toBe('Failed to test Ombi webhook');
   });
+
+  it('falls back to local loopback when public URL request fails', async () => {
+    nock(SOFARR_BASE)
+      .post('/api/webhook/ombi')
+      .replyWithError('Connection refused');
+    nock('http://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(200, { received: true });
+    nock('https://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(200, { received: true });
+    
+    const { cookies, csrfToken } = await authenticateUser(app, 'TestUser', false);
+    
+    const res = await request(app)
+      .post('/api/ombi/webhook/test')
+      .set('Cookie', cookies)
+      .set('X-CSRF-Token', csrfToken)
+      .expect(200);
+    
+    expect(res.body.success).toBe(true);
+  });
 });

tests/integration/swagger-coverage.test.js

@@ -196,6 +196,18 @@ describe('Swagger Coverage', () => {
     expect(paths['/api/ombi/webhook/test'].post).toBeDefined();
   });
 
+  it('should have Debug logging endpoints documented', () => {
+    const paths = openapiSpec.paths;
+    
+    expect(paths['/api/debug/status']).toBeDefined();
+    expect(paths['/api/debug/status'].get).toBeDefined();
+    expect(paths['/api/debug/server-logs']).toBeDefined();
+    expect(paths['/api/debug/server-logs'].get).toBeDefined();
+    expect(paths['/api/debug/client-logs']).toBeDefined();
+    expect(paths['/api/debug/client-logs'].get).toBeDefined();
+    expect(paths['/api/debug/client-logs'].post).toBeDefined();
+  });
+
   it('should return 200 for Swagger UI endpoint', async () => {
     const response = await request(app).get('/api/swagger').redirects(1);
     expect(response.status).toBe(200);

tests/integration/webhook.test.js

@@ -156,6 +156,24 @@ describe('POST /api/webhook/sonarr — secret validation', () => {
     const res = await postSonarr(app, SONARR_GRAB, 'anything');
     expect(res.status).toBe(401);
   });
+
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post(`/api/webhook/sonarr?secret=${VALID_SECRET}`)
+      .send(SONARR_GRAB);
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/sonarr?secret=wrong-query-secret')
+      .send(SONARR_GRAB);
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Unauthorized');
+  });
 });
 
 describe('POST /api/webhook/radarr — secret validation', () => {
@@ -171,6 +189,23 @@ describe('POST /api/webhook/radarr — secret validation', () => {
     const res = await postRadarr(app, RADARR_GRAB, 'bad-secret');
     expect(res.status).toBe(401);
   });
+
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post(`/api/webhook/radarr?secret=${VALID_SECRET}`)
+      .send(RADARR_GRAB);
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/radarr?secret=wrong-query-secret')
+      .send(RADARR_GRAB);
+    expect(res.status).toBe(401);
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -548,6 +583,40 @@ describe('POST /api/webhook/ombi', () => {
     expect(res.body.error).toBe('Unauthorized');
   });
 
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    nock('https://ombi.test')
+      .get('/api/v1/Request/movie')
+      .reply(200, []);
+    nock('https://ombi.test')
+      .get('/api/v1/Request/tv')
+      .reply(200, []);
+
+    const res = await request(app)
+      .post(`/api/webhook/ombi?secret=${VALID_SECRET}`)
+      .send({
+        notificationType: 'NewRequest',
+        requestId: 127,
+        requestedUser: 'gordon',
+        title: 'Query Movie',
+        type: 'Movie',
+        requestStatus: 'Pending',
+        applicationUrl: 'https://ombi.test',
+        requestedDate: '2026-05-23T20:40:00.000Z'
+      });
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/ombi?secret=wrong-query-secret')
+      .send({ notificationType: 'NewRequest', requestId: 1 });
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Unauthorized');
+  });
+
   it('returns 400 when notificationType is missing or invalid', async () => {
     const app = makeApp();
     const res = await postOmbi(app, { requestId: 1 });

tests/unit/arrRetrievers.test.js

@@ -183,3 +183,152 @@ describe('arrRetrieverRegistry', () => {
     });
   });
 });
+
+describe('OmbiRetriever._hydrateRequest', () => {
+  let retriever;
+
+  beforeEach(() => {
+    retriever = new OmbiRetriever({
+      id: 'ombi-test',
+      name: 'Test Ombi',
+      url: 'http://localhost:5000',
+      apiKey: 'test-key'
+    });
+
+    // Seed the userMap cache
+    retriever.cache.userMap.set('user-1', {
+      id: 'user-1',
+      userName: 'testuser',
+      alias: 'TestUser',
+      userAlias: 'TestUser',
+      normalizedUserName: 'testuser'
+    });
+    retriever.cache.userMap.set('user-2', {
+      id: 'user-2',
+      userName: 'adminuser',
+      alias: 'AdminUser',
+      userAlias: 'AdminUser',
+      normalizedUserName: 'adminuser'
+    });
+  });
+
+  it('hydrates top-level requestedUserId', () => {
+    const req = {
+      id: 1,
+      requestedUserId: 'user-1',
+      requestedUser: {}
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result.requestedUser.userName).toBe('testuser');
+    expect(result.requestedUser.alias).toBe('TestUser');
+  });
+
+  it('hydrates childRequests requestedUserId (TV requests)', () => {
+    const req = {
+      id: 3,
+      title: 'Test Show',
+      requestedUserId: 'user-1',
+      requestedUser: {},
+      childRequests: [
+        {
+          id: 10,
+          requestedUserId: 'user-2',
+          requestedUser: {}
+        }
+      ]
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result.requestedUser.userName).toBe('testuser');
+    expect(result.childRequests[0].requestedUser.userName).toBe('adminuser');
+    expect(result.childRequests[0].requestedUser.alias).toBe('AdminUser');
+  });
+
+  it('promotes requestedDate from childRequests to top level', () => {
+    const req = {
+      id: 3,
+      title: 'Test Show',
+      childRequests: [
+        {
+          id: 10,
+          requestedDate: '2026-05-15T10:00:00.000Z'
+        }
+      ]
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result.requestedDate).toBe('2026-05-15T10:00:00.000Z');
+    expect(result.childRequests[0].requestedDate).toBe('2026-05-15T10:00:00.000Z');
+  });
+
+  it('does not overwrite existing top-level requestedDate', () => {
+    const req = {
+      id: 3,
+      requestedDate: '2026-01-01T00:00:00.000Z',
+      childRequests: [
+        {
+          id: 10,
+          requestedDate: '2026-05-15T10:00:00.000Z'
+        }
+      ]
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result.requestedDate).toBe('2026-01-01T00:00:00.000Z');
+  });
+
+  it('handles PascalCase RequestedDate from childRequests', () => {
+    const req = {
+      id: 3,
+      childRequests: [
+        {
+          id: 10,
+          RequestedDate: '2026-06-01T12:00:00.000Z'
+        }
+      ]
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result.requestedDate).toBe('2026-06-01T12:00:00.000Z');
+  });
+
+  it('returns unmodified request when no hydration needed', () => {
+    const req = {
+      id: 1,
+      title: 'Test Movie',
+      requestedUser: { userName: 'existing', alias: 'Existing' }
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result).toEqual(req);
+  });
+
+  it('handles null childRequests gracefully', () => {
+    const req = {
+      id: 3,
+      childRequests: null
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result).toEqual(req);
+  });
+
+  it('handles empty childRequests gracefully', () => {
+    const req = {
+      id: 3,
+      childRequests: []
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result).toEqual(req);
+  });
+
+  it('skips child hydration when child already has valid requestedUser', () => {
+    const req = {
+      id: 3,
+      childRequests: [
+        {
+          id: 10,
+          requestedUserId: 'user-1',
+          requestedUser: { userName: 'already_set', alias: 'AlreadySet' }
+        }
+      ]
+    };
+    const result = retriever._hydrateRequest(req);
+    expect(result.childRequests[0].requestedUser.userName).toBe('already_set');
+    expect(result.childRequests[0].requestedUser.alias).toBe('AlreadySet');
+  });
+});

tests/unit/clients/OmbiClient.test.js

@@ -336,4 +336,47 @@ describe('OmbiClient', () => {
       expect(result).toBe(false);
     });
   });
+
+  describe('getUsers', () => {
+    it('should return user array for successful request', async () => {
+      const mockUsers = [
+        { id: '1', userName: 'Gordon' },
+        { id: '2', userName: 'Alice' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .reply(200, mockUsers);
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual(mockUsers);
+    });
+
+    it('should return empty array on API error', async () => {
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .reply(500, { error: 'Internal Server Error' });
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual([]);
+    });
+
+    it('should return empty array on network error', async () => {
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .replyWithError('Network error');
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual([]);
+    });
+  });
 });

tests/unit/clients/OmbiRetriever.test.js

@@ -766,4 +766,70 @@ describe('OmbiRetriever', () => {
       expect(stats.age).toBeGreaterThanOrEqual(0);
     });
   });
+
+  describe('hydration logic', () => {
+    it('should hydrate requestedUser when missing but requestedUserId is present', async () => {
+      const mockMovies = [
+        { id: 1, title: 'Movie 1', requestedUserId: 'gordon-id', requestedUser: null }
+      ];
+      const mockTvShows = [];
+      const mockUsers = [
+        { id: 'gordon-id', userName: 'Gordon', alias: 'G-Man' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Request/movie')
+        .reply(200, mockMovies);
+
+      nock(baseUrl)
+        .get('/api/v1/Request/tv')
+        .reply(200, mockTvShows);
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .reply(200, mockUsers);
+
+      const retriever = new OmbiRetriever(instanceConfig);
+      const result = await retriever.getMovieRequests();
+
+      expect(result).toHaveLength(1);
+      expect(result[0].requestedUser).toBeDefined();
+      expect(result[0].requestedUser.userName).toBe('Gordon');
+      expect(result[0].requestedUser.alias).toBe('G-Man');
+    });
+
+    it('should not overwrite non-empty requestedUser object', async () => {
+      const mockMovies = [
+        {
+          id: 1,
+          title: 'Movie 1',
+          requestedUserId: 'gordon-id',
+          requestedUser: { userName: 'ExistingGordon', alias: 'ExistingG' }
+        }
+      ];
+      const mockTvShows = [];
+      const mockUsers = [
+        { id: 'gordon-id', userName: 'Gordon', alias: 'G-Man' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Request/movie')
+        .reply(200, mockMovies);
+
+      nock(baseUrl)
+        .get('/api/v1/Request/tv')
+        .reply(200, mockTvShows);
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .reply(200, mockUsers);
+
+      const retriever = new OmbiRetriever(instanceConfig);
+      const result = await retriever.getMovieRequests();
+
+      expect(result).toHaveLength(1);
+      expect(result[0].requestedUser.userName).toBe('ExistingGordon');
+      expect(result[0].requestedUser.alias).toBe('ExistingG');
+    });
+  });
 });

tests/unit/ombiFilters.test.js

@@ -58,6 +58,40 @@ describe('getRequestStatus', () => {
     expect(getRequestStatus(makeRequest({ denied: true, approved: true }))).toBe('denied');
     expect(getRequestStatus(makeRequest({ approved: true, requested: true }))).toBe('approved');
   });
+
+  it('returns available from childRequests when top-level is absent (TV)', () => {
+    expect(getRequestStatus({ childRequests: [{ available: true }] })).toBe('available');
+  });
+
+  it('returns denied from childRequests when top-level is absent (TV)', () => {
+    expect(getRequestStatus({ childRequests: [{ denied: true }] })).toBe('denied');
+  });
+
+  it('returns approved from childRequests when top-level is absent (TV)', () => {
+    expect(getRequestStatus({ childRequests: [{ approved: true }] })).toBe('approved');
+  });
+
+  it('returns pending from childRequests when top-level is absent (TV)', () => {
+    expect(getRequestStatus({ childRequests: [{ requested: true }] })).toBe('pending');
+  });
+
+  it('follows priority inside childRequests: available > denied > approved > pending', () => {
+    expect(getRequestStatus({ childRequests: [
+      { available: true, denied: true },
+      { approved: true }
+    ]})).toBe('available');
+    expect(getRequestStatus({ childRequests: [
+      { denied: true, approved: true },
+      { requested: true }
+    ]})).toBe('denied');
+    expect(getRequestStatus({ childRequests: [
+      { approved: true, requested: true }
+    ]})).toBe('approved');
+  });
+
+  it('returns unknown for TV request with empty childRequests', () => {
+    expect(getRequestStatus({ childRequests: [] })).toBe('unknown');
+  });
 });
 
 // ---------------------------------------------------------------------------

tests/unit/ombiHelpers.test.js

@@ -79,6 +79,85 @@ describe('ombiHelpers', () => {
       };
       expect(extractRequestedUser(req)).toBe('');
     });
+
+    it('returns userName from nested user object', () => {
+      const req = { user: { userName: 'user_val' } };
+      expect(extractRequestedUser(req)).toBe('user_val');
+    });
+
+    it('returns alias from nested requestedBy object', () => {
+      const req = { requestedBy: { alias: 'req_alias' } };
+      expect(extractRequestedUser(req)).toBe('req_alias');
+    });
+
+    it('returns normalizedUserName from nested ombiUser object', () => {
+      const req = { ombiUser: { normalizedUserName: 'norm_ombi' } };
+      expect(extractRequestedUser(req)).toBe('norm_ombi');
+    });
+
+    it('returns userAlias from nested requestedByUser object', () => {
+      const req = { requestedByUser: { userAlias: 'alias_user' } };
+      expect(extractRequestedUser(req)).toBe('alias_user');
+    });
+
+    it('returns username from a string source value', () => {
+      const req = { requestedBy: 'direct_string' };
+      expect(extractRequestedUser(req)).toBe('direct_string');
+    });
+
+    it('returns username from root fallbacks (requestedByUsername, requester, requestedByEmail)', () => {
+      expect(extractRequestedUser({ requestedByUsername: 'user_uname' })).toBe('user_uname');
+      expect(extractRequestedUser({ requester: 'req_val' })).toBe('req_val');
+      expect(extractRequestedUser({ requestedByEmail: 'test@email.com' })).toBe('test@email.com');
+    });
+
+    it('recursively extracts user from seasons array requests', () => {
+      const req = {
+        seasons: [
+          {},
+          { requestedUser: { alias: 'season_user' } }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('season_user');
+    });
+
+    it('recursively extracts user from childRequests array', () => {
+      const req = {
+        childRequests: [
+          {},
+          { user: { userName: 'child_user' } }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('child_user');
+    });
+
+    it('recursively extracts user from childRequests requestedUser object (hydrated TV)', () => {
+      const req = {
+        childRequests: [
+          {},
+          { requestedUser: { userName: 'tv_user', alias: 'tv_alias' } }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('tv_alias');
+    });
+
+    it('recursively extracts user from childRequests requestedUser as string', () => {
+      const req = {
+        childRequests: [
+          { requestedUser: 'string_user' }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('string_user');
+    });
+
+    it('extracts user from deeply nested childRequests with requestedByAlias fallback', () => {
+      const req = {
+        childRequests: [
+          { requestedByAlias: 'deep_alias' }
+        ]
+      };
+      expect(extractRequestedUser(req)).toBe('deep_alias');
+    });
   });
 
   describe('filterRequestsByUser', () => {