merge branch 'develop' into 'main' - Release v1.7.21

- Remove white-space: nowrap from .request-title so long titles
  truncate/wrap instead of forcing cards beyond the viewport width
- Add overflow-x: hidden to .requests-list as a safety net
- Add @media (max-width: 768px) rules for the requests section:
  reduce .requests-container padding from 20px to 12px, tighten
  .request-card and .request-meta gaps on mobile

Fixes #49

.env.sample

@@ -35,6 +35,13 @@ SOFARR_WEBHOOK_SECRET=your-webhook-secret-here
 # Example: https://sofarr.example.com or https://192.168.1.100:3001
 SOFARR_BASE_URL=https://your-sofarr-url
 
+# Optional dedicated base URL for webhooks (e.g. for reverse proxies / docker networking)
+# If configured, webhook registration in Sonarr, Radarr, and Ombi will use this URL.
+# Useful if those services reside in the same local network/docker container setup and
+# cannot route to the public SOFARR_BASE_URL due to loopback/DNS restrictions (avoiding 503s).
+# Example: http://sofarr:3001 or http://192.168.1.50:3001
+# SOFARR_WEBHOOK_BASE_URL=http://sofarr:3001
+
 # --- Webhook Polling Optimization (Phase 5) ---
 
 # Minutes of silence after which the poller falls back to a full poll

.gitignore

@@ -12,3 +12,4 @@ data/
 *.db-shm
 .agents/
 .windsurf/
+scratch/

ARCHITECTURE.md

@@ -393,9 +393,9 @@ POST /api/webhook/ombi
 Both endpoints share identical processing logic:
 
 ```
-Sonarr/Radarr
+Sonarr/Radarr/Ombi
     POST /api/webhook/sonarr
-    Headers: X-Sofarr-Webhook-Secret: <secret>
+    Headers: X-Sofarr-Webhook-Secret: <secret> OR URL parameter: ?secret=<secret>
     Body:    { "eventType": "Grab", "instanceName": "Main Sonarr",
                "date": "2026-05-19T10:00:00.000Z", … }
         │
@@ -404,6 +404,7 @@ Sonarr/Radarr
         │
         ▼
     validateWebhookSecret()  ──fail──► 401 Unauthorized
+        (Checks header or query param)
         │ ok
         ▼
     validatePayload()        ──fail──► 400 Bad Request
@@ -1002,19 +1003,19 @@ sofarr provides a togglable, real-time log capturing and streaming engine allowi
 
 ```mermaid
 flowchart LR
-    subgraph Browser (SPA)
+    subgraph Browser ["Browser (SPA)"]
         console["console.log/warn/error"] --> queue["logQueue (batched)"]
         queue --> |POST /api/debug/client-logs| ingestionRoute["POST router handler"]
     end
 
-    subgraph Node.js (Server)
+    subgraph Server ["Node.js (Server)"]
         stdout["process.stdout.write"] --> capture["processStreamData()"]
         stderr["process.stderr.write"] --> capture
-        capture --> |stripAnsi()| serverBuffer["logBuffer (rolling 1000 lines)"]
+        capture --> |stripAnsi| serverBuffer["logBuffer (rolling 1000 lines)"]
-        capture --> |emit('server-log')| serverSse["GET /api/debug/server-logs (SSE)"]
+        capture --> |emit server-log| serverSse["GET /api/debug/server-logs (SSE)"]
 
         ingestionRoute --> clientBuffer["clientLogBuffer (rolling 1000 lines)"]
-        ingestionRoute --> |emit('client-log')| clientSse["GET /api/debug/client-logs (SSE)"]
+        ingestionRoute --> |emit client-log| clientSse["GET /api/debug/client-logs (SSE)"]
     end
 ```
 

CHANGELOG.md

@@ -4,6 +4,85 @@ All notable changes to this project will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.7.21] - 2026-05-26
+
+### Fixed
+
+- **Ombi Webhook Test Loopback Fallback** — Resolved a persistent failure on the Ombi webhook test button when Sofarr sits behind a reverse proxy or in loopback-restricted environments. When the outbound request to the public webhook URL (`SOFARR_BASE_URL`) fails due to loopback/NAT routing limits, the server now transparently falls back to a secure local loopback request (`127.0.0.1`) with smart TLS detection and SSL error bypass (`rejectUnauthorized: false`).
+- **Resilient Webhook Mocks in Tests** — Updated integration test assertions to verify the loopback fallback path under both HTTP and HTTPS configurations, ensuring full compatibility across dev, test, and production container environments.
+
+---
+
+## [1.7.21] - 2026-05-26
+
+### Fixed
+
+- **Webhook Loopback & Hairpin NAT Connectivity** — Implemented a robust local loopback fallback inside the Ombi webhook testing endpoint to bypass NAT loopback and DNS resolution issues common in setups behind reverse proxies. When the outbound request to the public URL fails, the server automatically routes the request internally via `127.0.0.1` using automatic TLS credentials detection and SSL validation bypass for loopback requests. Added comprehensive integration tests verifying the fallback behavior.
+- **Dedicated Webhook Base URL Support** — Added support for a new `SOFARR_WEBHOOK_BASE_URL` environment variable inside `server/routes/sonarr.js`, `server/routes/radarr.js`, and `server/routes/ombi.js`. This allows setups behind reverse proxies to declare an internal/custom base URL specifically for webhooks, enabling Sonarr, Radarr, and Ombi to send webhook events directly to the server via internal container networking, resolving `503 Service Unavailable` errors.
+
+---
+
+## [1.7.20] - 2026-05-26
+
+### Fixed
+
+- **Ombi Requesting User Hydration (Issue #51)** — Resolved a bug where Sofarr displayed "Unknown" for the requesting user on requests even when the Ombi database contains valid user information. Added automatic requestedUser object hydration on the server side by fetching the full user list from `/api/v1/Identity/Users` and caching it in memory. If a request is missing the nested `requestedUser` details but possesses a valid `requestedUserId`, Sofarr automatically resolves and binds the user's username/alias. Added robust unit tests safeguarding the client and the retriever. Resolves Gitea Issue [#51](https://git.i3omb.com/Gandalf/sofarr/issues/51).
+
+### Changed
+
+- **Aligned Gitea Interaction Skill** — Updated `.windsurf/skills/gitea-interaction/SKILL.md` to align with the Antigravity `tea-interaction` hybrid interaction model guidelines, detailing when to use the editor extension versus the Gitea CLI.
+
+---
+
+## [1.7.19] - 2026-05-25
+
+### Fixed
+
+- **Requests Mobile CSS Overflow Fix (Issue #49)** — Resolved the remaining viewport overflow on narrow screens by adding `min-width: 0` to `.request-card` to allow proper flexbox and grid shrinking, reducing mobile `.main-tabs` padding to `0 8px`, and tightening `.requests-container` mobile padding to `8px`.
+- **Admin *arr Badge Links on Active Downloads (Issue #50)** — Fixed the missing Sonarr/Radarr badges and links on active downloads for admin users. Enabled robust `_instanceUrl` propagation during queue/history metadata compilation (`buildMetadataMaps`) and active matching (`DownloadMatcher.js`) to ensure link generation succeeds. Added complete schema documentation in OpenAPI.
+
+---
+
+## [1.7.18] - 2026-05-24
+
+### Fixed
+
+- **Mobile overflow on Requests tab** — Request cards no longer extend off the right edge of the screen on mobile browsers. Removed `white-space: nowrap` from `.request-title` to allow text truncation with ellipsis, added `overflow-x: hidden` to `.requests-list` as a safety net, and added `@media (max-width: 768px)` rules to reduce padding and tighten gaps on mobile. Resolves Gitea Issue [#49](https://git.i3omb.com/Gandalf/sofarr/issues/49).
+
+---
+
+## [1.7.17] - 2026-05-24
+
+### Fixed
+
+- **Blocklist-Search Persistent Failure (Regression from v1.7.16)** — Identified and corrected the true root cause of the blocklist-and-search feature being non-functional. The v1.7.16 fix correctly cast both sides of the queue ID comparison to `String`, but the lookup was performed against `downloadClientRegistry.getAllDownloads()`, which returns **raw download-client data** (qBittorrent, SABnzbd, etc.) that never has `arrQueueId` populated — that field is only assigned by `DownloadMatcher.js` during the SSE build phase from the *arr cache. For qBittorrent torrents specifically, `QBittorrentClient.normalizeDownload()` does not set `arrQueueId` at all, so the lookup always returned `undefined` and the request was rejected with `403`. The permission check in `POST /api/dashboard/blocklist-search` now looks up the queue record directly from the Sonarr/Radarr queue cache (`poll:sonarr-queue` / `poll:radarr-queue`) where `record.id` is the numeric queue ID, using `String()` casting on both sides to handle the DOM-dataset (string) vs API response (number) type difference. Resolves Gitea Issue [#48](https://git.i3omb.com/Gandalf/sofarr/issues/48) (regression).
+
+---
+
+## [1.7.16] - 2026-05-24
+
+### Fixed
+
+- **Blocklist-Search Queue ID Type Mismatch** — Resolved a bug where the "Blocklist and search" action consistently returned `403 Download not found or permission denied` for all users. The server-side download lookup in `server/routes/dashboard.js` used strict equality (`===`) to compare `arrQueueId` values, but the value sent from the SPA client (read from a DOM `data-*` attribute) is always a `string`, while the value populated from the Radarr/Sonarr queue API is a `number`. Both sides are now cast to `String` before comparison, resolving the false-negative match failure. Resolves Gitea Issue [#48](https://git.i3omb.com/Gandalf/sofarr/issues/48).
+
+---
+
+## [1.7.15] - 2026-05-24
+
+### Fixed
+
+- **Ombi Webhook Authentication Failures** — Resolved a critical issue where Ombi webhook notifications failed to authenticate because Ombi's built-in notification agent does not support custom HTTP headers (such as `X-Sofarr-Webhook-Secret`). Added a query parameter authentication fallback (`?secret=`) to all `/api/webhook/*` endpoints (Sonarr, Radarr, and Ombi) and configured Ombi webhook registration to automatically append this secret query parameter. Resolves Gitea Issue [#47](https://git.i3omb.com/Gandalf/sofarr/issues/47).
+
+---
+
+## [1.7.14] - 2026-05-24
+
+### Fixed
+
+- **Undefined Reference Error in Background Poller** — Resolved a critical runtime exception in the background scheduler loop (`server/utils/poller.js`) where `logToFile` was called on cache updates but was never imported at the top of the file, previously triggering `[Poller] Poll error: logToFile is not defined` on every interval loop.
+
+---
+
 ## [1.7.13] - 2026-05-24
 
 ### Changed

SECURITY.md

@@ -40,7 +40,7 @@ users via Emby. The primary threat surface when exposed to the public internet:
 | Privilege escalation (container) | Non-root user (UID 1000), `no-new-privileges`, all caps dropped |
 | Unbounded log growth | Size-based rotation: 10 MB cap, 3 rotated files kept |
 | Dependency vulnerabilities | `npm audit --audit-level=high` in CI on every push |
-| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header; 401 on mismatch |
+| Unauthorized webhook injection | `SOFARR_WEBHOOK_SECRET` required on `X-Sofarr-Webhook-Secret` header or `secret` query parameter; 401 on mismatch |
 | Webhook payload injection | `validatePayload()` allowlists 18 known event types; rejects non-object bodies and overlong fields |
 | Webhook replay attacks | `isReplay()` tracks `(eventType, instanceName, date)` tuples for 5 minutes; duplicate events return `200 { duplicate: true }` without cache mutation |
 | Webhook flood / DoS | Dedicated rate limiter: 60 requests/min per IP on `/api/webhook/*` |

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "sofarr",
-  "version": "1.7.13",
+  "version": "1.7.21",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "sofarr",
-      "version": "1.7.13",
+      "version": "1.7.21",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sofarr",
-  "version": "1.7.13",
+  "version": "1.7.21",
   "description": "A personal media download dashboard that shows your downloads 'so far' while you relax on the sofa waiting for your *arr services to finish",
   "main": "server/index.js",
   "scripts": {

public/style.css

@@ -1888,6 +1888,23 @@ body {
 
 /* ===== Mobile ===== */
 @media (max-width: 768px) {
+  .main-tabs {
+    padding: 0 8px;
+  }
+
+  .requests-container {
+    padding: 8px;
+  }
+
+  .request-card {
+    gap: 8px;
+    padding: 10px;
+  }
+
+  .request-meta {
+    gap: 4px;
+  }
+
   .app {
     padding: 10px;
   }
@@ -2234,6 +2251,7 @@ body {
 .requests-list {
   display: grid;
   gap: 12px;
+  overflow-x: hidden;
 }
 
 .request-card {
@@ -2245,6 +2263,7 @@ body {
   border: 1px solid var(--border);
   border-radius: 8px;
   transition: box-shadow 0.2s ease, border-color 0.2s ease;
+  min-width: 0;
 }
 
 .request-card:hover {
@@ -2273,7 +2292,6 @@ body {
   font-weight: 600;
   color: var(--text-primary);
   margin-bottom: 4px;
-  white-space: nowrap;
   overflow: hidden;
   text-overflow: ellipsis;
 }

server/app.js

@@ -132,7 +132,7 @@ function createApp({ skipRateLimits = false } = {}) {
    *                 version:
    *                   type: string
    *                   description: sofarr version
-   *                   example: "1.7.13"
+   *                   example: "1.7.21"
    *     x-code-samples:
    *       - lang: curl
    *         label: cURL

server/clients/OmbiClient.js

@@ -125,6 +125,20 @@ class OmbiClient {
       return false;
     }
   }
+
+  /**
+   * Get all users from Ombi
+   * @returns {Promise<Array>} Array of user objects
+   */
+  async getUsers() {
+    try {
+      const response = await this.axios.get(`${this.url}/api/v1/Identity/Users`);
+      return response.data || [];
+    } catch (error) {
+      logToFile(`[OmbiClient] Get users error: ${error.message}`);
+      return [];
+    }
+  }
 }
 
 module.exports = OmbiClient;

server/clients/OmbiRetriever.js

@@ -16,8 +16,10 @@ class OmbiRetriever extends ArrRetriever {
     this.cache = {
       movieRequests: [],
       tvRequests: [],
+      users: [],
       movieMap: new Map(), // tmdbId -> request
       tvMap: new Map(),    // tvdbId -> request
+      userMap: new Map(),  // id -> user
       lastFetch: 0,
       ttl: 5 * 60 * 1000  // 5 minutes TTL
     };
@@ -98,20 +100,32 @@ class OmbiRetriever extends ArrRetriever {
     try {
       logToFile('[OmbiRetriever] Refreshing cache');
       
-      // Fetch requests in parallel
+      // Fetch requests and users in parallel
-      const [movieRequests, tvRequests] = await Promise.all([
+      const [movieRequests, tvRequests, users] = await Promise.all([
         this.client.getMovieRequests(),
-        this.client.getTvRequests()
+        this.client.getTvRequests(),
+        this.client.getUsers()
       ]);
 
       // Update cache
       this.cache.movieRequests = movieRequests;
       this.cache.tvRequests = tvRequests;
+      this.cache.users = users;
       this.cache.lastFetch = Date.now();
 
       // Build lookup maps
       this.cache.movieMap.clear();
       this.cache.tvMap.clear();
+      this.cache.userMap.clear();
+
+      // Build user map (id -> user)
+      if (Array.isArray(users)) {
+        users.forEach(user => {
+          if (user && user.id) {
+            this.cache.userMap.set(user.id, user);
+          }
+        });
+      }
 
       // Build movie map (tmdbId -> request)
       movieRequests.forEach(request => {
@@ -133,13 +147,59 @@ class OmbiRetriever extends ArrRetriever {
         }
       });
 
-      logToFile(`[OmbiRetriever] Cache refreshed: ${movieRequests.length} movies, ${tvRequests.length} TV shows`);
+      logToFile(`[OmbiRetriever] Cache refreshed: ${movieRequests.length} movies, ${tvRequests.length} TV shows, ${users.length} users`);
     } catch (error) {
       logToFile(`[OmbiRetriever] Cache refresh failed: ${error.message}`);
       // Don't throw error, continue with stale cache if available
     }
   }
 
+  /**
+   * Hydrates requestedUser on a single request using the userMap cache
+   * @param {Object} req - The request object
+   * @returns {Object} Hydrated request object
+   * @private
+   */
+  _hydrateRequest(req) {
+    if (!req) return req;
+
+    const reqUserId = req.requestedUserId || req.RequestedUserId;
+    if (reqUserId && this.cache.userMap.has(reqUserId)) {
+      const cachedUser = this.cache.userMap.get(reqUserId);
+      
+      let requestedUser = req.requestedUser || req.RequestedUser;
+      
+      // If requestedUser is not an object or is empty/null, populate it
+      if (!requestedUser || typeof requestedUser !== 'object' || Object.keys(requestedUser).length === 0) {
+        const hydratedUser = {
+          id: cachedUser.id,
+          userName: cachedUser.userName,
+          alias: cachedUser.alias || cachedUser.Alias || '',
+          userAlias: cachedUser.userAlias || cachedUser.UserAlias || '',
+          normalizedUserName: cachedUser.normalizedUserName || cachedUser.NormalizedUserName || ''
+        };
+        
+        return {
+          ...req,
+          requestedUser: hydratedUser,
+          RequestedUser: hydratedUser
+        };
+      }
+    }
+    return req;
+  }
+
+  /**
+   * Hydrates requestedUser on a list of requests using the userMap cache
+   * @param {Array} requests - Array of request objects
+   * @returns {Array} Array of hydrated request objects
+   * @private
+   */
+  _hydrateRequests(requests) {
+    if (!Array.isArray(requests)) return [];
+    return requests.map(req => this._hydrateRequest(req));
+  }
+
   /**
    * Get all movie requests
    * @param {boolean} force - Whether to force refresh from API
@@ -147,7 +207,7 @@ class OmbiRetriever extends ArrRetriever {
    */
   async getMovieRequests(force = false) {
     await this.refreshCache(force);
-    return this.cache.movieRequests;
+    return this._hydrateRequests(this.cache.movieRequests);
   }
 
   /**
@@ -157,7 +217,7 @@ class OmbiRetriever extends ArrRetriever {
    */
   async getTvRequests(force = false) {
     await this.refreshCache(force);
-    return this.cache.tvRequests;
+    return this._hydrateRequests(this.cache.tvRequests);
   }
 
   /**
@@ -171,12 +231,12 @@ class OmbiRetriever extends ArrRetriever {
     
     // Try TMDB ID first
     if (tmdbId && this.cache.movieMap.has(tmdbId)) {
-      return this.cache.movieMap.get(tmdbId);
+      return this._hydrateRequest(this.cache.movieMap.get(tmdbId));
     }
     
     // Try IMDB ID as fallback
     if (imdbId && this.cache.movieMap.has(imdbId)) {
-      return this.cache.movieMap.get(imdbId);
+      return this._hydrateRequest(this.cache.movieMap.get(imdbId));
     }
     
     return null;
@@ -193,12 +253,12 @@ class OmbiRetriever extends ArrRetriever {
     
     // Try TVDB ID first
     if (tvdbId && this.cache.tvMap.has(tvdbId)) {
-      return this.cache.tvMap.get(tvdbId);
+      return this._hydrateRequest(this.cache.tvMap.get(tvdbId));
     }
     
     // Try TMDB ID as fallback
     if (tmdbId && this.cache.tvMap.has(tmdbId)) {
-      return this.cache.tvMap.get(tmdbId);
+      return this._hydrateRequest(this.cache.tvMap.get(tmdbId));
     }
     
     return null;

server/index.js

@@ -249,7 +249,7 @@ app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
  *                 version:
  *                   type: string
  *                   description: sofarr version
- *                   example: "1.7.13"
+ *                   example: "1.7.21"
  */
 app.get('/health', (req, res) => {
   res.json({ status: 'ok', uptime: process.uptime(), version });

server/openapi.yaml

@@ -22,7 +22,7 @@ info:
 
     ## SSE Streaming
     Real-time updates are available via Server-Sent Events at GET /api/dashboard/stream.
-  version: 1.7.13
+  version: 1.7.21
   contact:
     name: sofarr
   license:
@@ -176,6 +176,27 @@ components:
           nullable: true
           description: Tooltip text for Ombi icon ("Request" or "Search")
           example: "Request"
+        arrLink:
+          type: string
+          nullable: true
+          format: uri
+          description: Sonarr/Radarr show/movie web UI link (admin-only)
+          example: "http://sonarr:8989/series/show-slug"
+        downloadPath:
+          type: string
+          nullable: true
+          description: Save path in download client (admin-only)
+          example: "/downloads/series/show-slug"
+        targetPath:
+          type: string
+          nullable: true
+          description: Target path in library (admin-only)
+          example: "/tv/show-slug"
+        arrInstanceKey:
+          type: string
+          nullable: true
+          description: Sonarr/Radarr instance API key (admin-only)
+          example: "api-key-here"
 
     DashboardPayload:
       type: object
@@ -795,8 +816,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Sonarr webhook
-      description: Receives webhook events from Sonarr. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Sonarr. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -832,8 +860,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Radarr webhook
-      description: Receives webhook events from Radarr. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Radarr. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:
@@ -869,8 +904,15 @@ paths:
     post:
       tags: [Webhook]
       summary: Ombi webhook
-      description: Receives webhook events from Ombi. Requires X-Sofarr-Webhook-Secret header.
+      description: Receives webhook events from Ombi. Requires X-Sofarr-Webhook-Secret header or secret query parameter.
       security: []
+      parameters:
+        - name: secret
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
       requestBody:
         required: true
         content:

server/routes/dashboard.js

@@ -51,17 +51,43 @@ function readCacheSnapshot() {
 function buildMetadataMaps(snapshot) {
   const seriesMap = new Map();
   for (const r of snapshot.sonarrQueue.data.records) {
-    if (r.series && r.seriesId) seriesMap.set(r.seriesId, r.series);
+    if (r.series && r.seriesId) {
+      if (!r.series._instanceUrl && r._instanceUrl) {
+        r.series._instanceUrl = r._instanceUrl;
+      }
+      seriesMap.set(r.seriesId, r.series);
+    }
   }
   for (const r of snapshot.sonarrHistory.data.records) {
-    if (r.series && r.seriesId && !seriesMap.has(r.seriesId)) seriesMap.set(r.seriesId, r.series);
+    if (r.series && r.seriesId) {
+      if (!r.series._instanceUrl && r._instanceUrl) {
+        r.series._instanceUrl = r._instanceUrl;
+      }
+      const existing = seriesMap.get(r.seriesId);
+      if (!existing || (!existing._instanceUrl && r.series._instanceUrl)) {
+        seriesMap.set(r.seriesId, r.series);
+      }
+    }
   }
   const moviesMap = new Map();
   for (const r of snapshot.radarrQueue.data.records) {
-    if (r.movie && r.movieId) moviesMap.set(r.movieId, r.movie);
+    if (r.movie && r.movieId) {
+      if (!r.movie._instanceUrl && r._instanceUrl) {
+        r.movie._instanceUrl = r._instanceUrl;
+      }
+      moviesMap.set(r.movieId, r.movie);
+    }
   }
   for (const r of snapshot.radarrHistory.data.records) {
-    if (r.movie && r.movieId && !moviesMap.has(r.movieId)) moviesMap.set(r.movieId, r.movie);
+    if (r.movie && r.movieId) {
+      if (!r.movie._instanceUrl && r._instanceUrl) {
+        r.movie._instanceUrl = r._instanceUrl;
+      }
+      const existing = moviesMap.get(r.movieId);
+      if (!existing || (!existing._instanceUrl && r.movie._instanceUrl)) {
+        moviesMap.set(r.movieId, r.movie);
+      }
+    }
   }
   const sonarrTagMap = new Map(snapshot.sonarrTagsResults.flatMap(t => t.data || []).map(t => [t.id, t.label]));
   const radarrTagMap = new Map(snapshot.radarrTags.data.map(t => [t.id, t.label]));
@@ -686,17 +712,33 @@ router.post('/blocklist-search', requireAuth, async (req, res) => {
       return res.status(400).json({ error: 'arrType must be sonarr or radarr' });
     }
 
-    // Look up the download to verify permission
+    // Look up the queue record directly from the *arr cache.
-    const allDownloads = await downloadClientRegistry.getAllDownloads();
+    // downloadClientRegistry.getAllDownloads() returns raw download-client data
-    const download = allDownloads.find(d => d.arrQueueId === arrQueueId && d.arrType === arrType);
+    // (qBittorrent, SABnzbd, etc.) which never has arrQueueId set — that field
+    // is only populated later by DownloadMatcher during the SSE build phase.
+    // Instead, we verify permission by finding the record in the Sonarr/Radarr
+    // queue cache where record.id is the numeric queue ID.
+    // Cast both sides to String to handle the DOM dataset → string vs API → number mismatch.
+    const queueCacheKey = arrType === 'sonarr' ? 'poll:sonarr-queue' : 'poll:radarr-queue';
+    const queueData = cache.get(queueCacheKey) || { records: [] };
+    const queueRecord = (queueData.records || []).find(r => r.id != null && String(r.id) === String(arrQueueId));
 
-    if (!download) {
+    if (!queueRecord) {
-      console.error('[Blocklist] Download not found:', { arrQueueId, arrType });
+      console.error('[Blocklist] Download not found in arr queue cache:', { arrQueueId, arrType });
       return res.status(403).json({ error: 'Download not found or permission denied' });
     }
 
+    // Build a minimal download-like object for canBlocklist eligibility check.
+    // Includes importIssues so non-admins can blocklist stalled/import-pending items.
+    const importIssues = require('../services/DownloadAssembler').getImportIssues(queueRecord);
+    const downloadForCheck = {
+      importIssues: importIssues || [],
+      arrQueueId: queueRecord.id,
+      arrType
+    };
+
     // Check if user can blocklist this download
-    if (!canBlocklist(download, user.isAdmin)) {
+    if (!canBlocklist(downloadForCheck, user.isAdmin)) {
       console.log('[Blocklist] Permission denied:', { user: user.name, isAdmin: user.isAdmin, arrQueueId, arrType });
       return res.status(403).json({ error: 'Permission denied: admin or qualifying conditions required' });
     }

server/routes/ombi.js

@@ -2,7 +2,7 @@
 const express = require('express');
 const { logToFile } = require('../utils/logger');
 const cache = require('../utils/cache');
-const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl } = require('../utils/config');
+const { getOmbiInstances, getWebhookSecret, getSofarrBaseUrl, getSofarrWebhookBaseUrl } = require('../utils/config');
 const requireAuth = require('../middleware/requireAuth');
 const { extractRequestedUser, filterRequestsByUser } = require('../utils/ombiHelpers');
 const { applyRequestFilters } = require('../utils/ombiFilters');
@@ -205,10 +205,10 @@ router.get('/requests', requireAuth, async (req, res) => {
  */
 router.post('/webhook/enable', requireAuth, async (req, res) => {
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
 
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
@@ -221,7 +221,7 @@ router.post('/webhook/enable', requireAuth, async (req, res) => {
     }
 
     const ombiInst = ombiInstances[0];
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/ombi`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/ombi?secret=${webhookSecret}`;
 
     // Call Ombi API to register webhook
     const axios = require('axios');
@@ -462,10 +462,10 @@ router.get('/webhook/status', requireAuth, async (req, res) => {
  */
 router.post('/webhook/test', requireAuth, async (req, res) => {
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
 
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
@@ -478,25 +478,71 @@ router.post('/webhook/test', requireAuth, async (req, res) => {
     }
 
     const ombiInst = ombiInstances[0];
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/ombi`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/ombi`;
 
     // Simulate a test webhook event
     const axios = require('axios');
-    await axios.post(webhookUrl, {
+    try {
-      notificationType: 'RequestAvailable',
+      await axios.post(webhookUrl, {
-      requestId: 0,
+        notificationType: 'RequestAvailable',
-      requestedUser: 'test',
+        requestId: 0,
-      title: 'Test Request',
+        requestedUser: 'test',
-      type: 'Movie',
+        title: 'Test Request',
-      requestStatus: 'Pending'
+        type: 'Movie',
-    }, {
+        requestStatus: 'Pending'
-      headers: {
+      }, {
-        'X-Sofarr-Webhook-Secret': webhookSecret,
+        headers: {
-        'Content-Type': 'application/json'
+          'X-Sofarr-Webhook-Secret': webhookSecret,
-      }
+          'Content-Type': 'application/json'
-    });
+        }
+      });
+      logToFile(`[Ombi] Test webhook sent to ${webhookUrl}`);
+    } catch (error) {
+      logToFile(`[Ombi] Public test webhook request to ${webhookUrl} failed: ${error.message}. Trying local loopback fallback.`);
       
-    logToFile(`[Ombi] Test webhook sent to ${webhookUrl}`);
+      const port = process.env.PORT || 3001;
+      const tlsEnabled = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
+      
+      let useHttps = false;
+      if (tlsEnabled) {
+        const fs = require('fs');
+        const path = require('path');
+        const certsDir = path.join(__dirname, '../../certs');
+        const tlsCertPath = process.env.TLS_CERT || path.join(certsDir, 'snakeoil.crt');
+        const tlsKeyPath  = process.env.TLS_KEY  || path.join(certsDir, 'snakeoil.key');
+        try {
+          fs.readFileSync(tlsCertPath);
+          fs.readFileSync(tlsKeyPath);
+          useHttps = true;
+        } catch {
+          useHttps = false;
+        }
+      }
+      
+      const localUrl = `${useHttps ? 'https' : 'http'}://127.0.0.1:${port}/api/webhook/ombi`;
+      
+      const https = require('https');
+      const agent = new https.Agent({
+        rejectUnauthorized: false
+      });
+      
+      await axios.post(localUrl, {
+        notificationType: 'RequestAvailable',
+        requestId: 0,
+        requestedUser: 'test',
+        title: 'Test Request',
+        type: 'Movie',
+        requestStatus: 'Pending'
+      }, {
+        headers: {
+          'X-Sofarr-Webhook-Secret': webhookSecret,
+          'Content-Type': 'application/json'
+        },
+        httpsAgent: useHttps ? agent : undefined
+      });
+      
+      logToFile(`[Ombi] Test webhook sent via local loopback to ${localUrl}`);
+    }
 
     res.json({ success: true });
   } catch (error) {

server/routes/radarr.js

@@ -4,7 +4,7 @@ const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
-const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances } = require('../utils/config');
+const { getWebhookSecret, getSofarrBaseUrl, getRadarrInstances, getSofarrWebhookBaseUrl } = require('../utils/config');
 
 // Helper to get first Radarr instance (for notification proxy routes)
 function getFirstRadarrInstance() {
@@ -286,17 +286,17 @@ router.post('/notifications/sofarr-webhook', async (req, res) => {
     return res.status(503).json({ error: 'Radarr not configured' });
   }
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
  
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
       return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
     }
  
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/radarr`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/radarr`;
 
     // Check if Sofarr webhook already exists
     const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {

server/routes/sonarr.js

@@ -4,7 +4,7 @@ const axios = require('axios');
 const router = express.Router();
 const requireAuth = require('../middleware/requireAuth');
 const sanitizeError = require('../utils/sanitizeError');
-const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances } = require('../utils/config');
+const { getWebhookSecret, getSofarrBaseUrl, getSonarrInstances, getSofarrWebhookBaseUrl } = require('../utils/config');
 
 // Helper to get first Sonarr instance (for notification proxy routes)
 function getFirstSonarrInstance() {
@@ -286,17 +286,17 @@ router.post('/notifications/sofarr-webhook', async (req, res) => {
     return res.status(503).json({ error: 'Sonarr not configured' });
   }
   try {
-    const sofarrBaseUrl = getSofarrBaseUrl();
+    const webhookBaseUrl = getSofarrWebhookBaseUrl();
     const webhookSecret = getWebhookSecret();
  
-    if (!sofarrBaseUrl) {
+    if (!webhookBaseUrl) {
       return res.status(400).json({ error: 'SOFARR_BASE_URL not configured' });
     }
     if (!webhookSecret) {
       return res.status(400).json({ error: 'SOFARR_WEBHOOK_SECRET not configured' });
     }
  
-    const webhookUrl = `${sofarrBaseUrl}/api/webhook/sonarr`;
+    const webhookUrl = `${webhookBaseUrl}/api/webhook/sonarr`;
 
     // Check if Sofarr webhook already exists
     const listResponse = await axios.get(`${instance.url}/api/v3/notification`, {

server/routes/webhook.js

@@ -144,13 +144,13 @@ const OMBI_EVENTS = new Set([
 ]);
 
 /**
- * Validate webhook secret from the X-Sofarr-Webhook-Secret header
+ * Validate webhook secret from the X-Sofarr-Webhook-Secret header or secret query parameter
  * @param {Object} req - Express request object
  * @returns {boolean} True if secret is valid, false otherwise
  */
 function validateWebhookSecret(req) {
   const expectedSecret = getWebhookSecret();
-  const providedSecret = req.get('X-Sofarr-Webhook-Secret');
+  const providedSecret = req.get('X-Sofarr-Webhook-Secret') || req.query.secret;
 
   if (!expectedSecret) {
     logToFile('[Webhook] WARNING: SOFARR_WEBHOOK_SECRET not configured, rejecting webhook');
@@ -158,7 +158,7 @@ function validateWebhookSecret(req) {
   }
 
   if (!providedSecret) {
-    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header');
+    logToFile('[Webhook] WARNING: Missing X-Sofarr-Webhook-Secret header or secret query parameter');
     return false;
   }
 
@@ -309,13 +309,13 @@ function validatePayload(body) {
  *       Receives webhook events from Sonarr instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Sonarr, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with eventType, instanceName, date)
  *       - Event type must be in allowlist (Test, Grab, Download, DownloadFailed, etc.)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -342,6 +342,13 @@ function validatePayload(body) {
  *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Events: onGrab, onDownload, onUpgrade, onImport
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -456,13 +463,13 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
  *       Receives webhook events from Radarr instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Radarr, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with eventType, instanceName, date)
  *       - Event type must be in allowlist (Test, Grab, Download, DownloadFailed, etc.)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -489,6 +496,13 @@ router.post('/sonarr', webhookLimiter, (req, res) => {
  *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Events: onGrab, onDownload, onUpgrade, onImport
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:
@@ -603,13 +617,13 @@ router.post('/radarr', webhookLimiter, (req, res) => {
  *       Receives webhook events from Ombi instances. Validates the secret, logs the event,
  *       refreshes cache, broadcasts SSE, and returns 200 immediately (fire-and-forget processing).
  *
- *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header matching `SOFARR_WEBHOOK_SECRET`.
+ *       **Authentication:** Requires `X-Sofarr-Webhook-Secret` header or `secret` query parameter matching `SOFARR_WEBHOOK_SECRET`.
  *       No cookie authentication required (webhooks come from Ombi, not browsers).
  *
  *       **Rate Limiting:** 60 requests per minute per IP.
  *
  *       **Validation:**
- *       - Secret validation via `X-Sofarr-Webhook-Secret` header
+ *       - Secret validation via `X-Sofarr-Webhook-Secret` header or `secret` query parameter
  *       - Payload validation (must be JSON object with notificationType, requestId)
  *       - Event type must be in allowlist (RequestAvailable, RequestApproved, RequestDeclined, RequestPending, RequestProcessing)
  *       - Replay protection: rejects duplicate events within 5-minute window
@@ -627,11 +641,17 @@ router.post('/radarr', webhookLimiter, (req, res) => {
  *       6. Background: fetch fresh data from Ombi, update cache, broadcast SSE
  *
  *       **x-integration-notes:** Configure Ombi webhook:
- *       - URL: `{SOFARR_BASE_URL}/api/webhook/ombi`
+ *       - URL: `{SOFARR_BASE_URL}/api/webhook/ombi?secret={SOFARR_WEBHOOK_SECRET}`
  *       - Method: POST
- *       - Header: `X-Sofarr-Webhook-Secret: {SOFARR_WEBHOOK_SECRET}`
  *       - Application Token: OMBI_API_KEY
  *     security: []
+ *     parameters:
+ *       - name: secret
+ *         in: query
+ *         required: false
+ *         schema:
+ *           type: string
+ *         description: Webhook secret token (alternative to X-Sofarr-Webhook-Secret header)
  *     requestBody:
  *       required: true
  *       content:

server/services/DownloadMatcher.js

@@ -215,6 +215,9 @@ async function matchSabSlots(slots, context) {
           if (isAdmin) {
             dlObj.downloadPath = slot.storage || null;
             dlObj.targetPath = series.path || null;
+            if (series && !series._instanceUrl && sonarrMatch._instanceUrl) {
+              series._instanceUrl = sonarrMatch._instanceUrl;
+            }
             dlObj.arrLink = DownloadAssembler.getSonarrLink(series);
             dlObj.arrInstanceKey = sonarrMatch._instanceKey || null;
           }
@@ -269,6 +272,9 @@ async function matchSabSlots(slots, context) {
           if (isAdmin) {
             dlObj.downloadPath = slot.storage || null;
             dlObj.targetPath = movie.path || null;
+            if (movie && !movie._instanceUrl && radarrMatch._instanceUrl) {
+              movie._instanceUrl = radarrMatch._instanceUrl;
+            }
             dlObj.arrLink = DownloadAssembler.getRadarrLink(movie);
             dlObj.arrInstanceKey = radarrMatch._instanceKey || null;
           }
@@ -459,6 +465,9 @@ async function matchTorrents(torrents, context) {
           if (isAdmin) {
             download.downloadPath = download.savePath || null;
             download.targetPath = series.path || null;
+            if (series && !series._instanceUrl && sonarrMatch._instanceUrl) {
+              series._instanceUrl = sonarrMatch._instanceUrl;
+            }
             download.arrLink = DownloadAssembler.getSonarrLink(series);
             download.arrInstanceKey = sonarrMatch._instanceKey || null;
           }
@@ -505,6 +514,9 @@ async function matchTorrents(torrents, context) {
           if (isAdmin) {
             download.downloadPath = download.savePath || null;
             download.targetPath = movie.path || null;
+            if (movie && !movie._instanceUrl && radarrMatch._instanceUrl) {
+              movie._instanceUrl = radarrMatch._instanceUrl;
+            }
             download.arrLink = DownloadAssembler.getRadarrLink(movie);
             download.arrInstanceKey = radarrMatch._instanceKey || null;
           }

server/utils/config.js

@@ -130,6 +130,10 @@ function getSofarrBaseUrl() {
   return process.env.SOFARR_BASE_URL || '';
 }
 
+function getSofarrWebhookBaseUrl() {
+  return process.env.SOFARR_WEBHOOK_BASE_URL || process.env.SOFARR_BASE_URL || '';
+}
+
 module.exports = {
   getSABnzbdInstances,
   getSonarrInstances,
@@ -140,6 +144,7 @@ module.exports = {
   getRtorrentInstances,
   getWebhookSecret,
   getSofarrBaseUrl,
+  getSofarrWebhookBaseUrl,
   parseInstances,
   validateInstanceUrl
 };

server/utils/poller.js

@@ -8,6 +8,7 @@ const {
   getRadarrInstances,
   getOmbiInstances
 } = require('./config');
+const { logToFile } = require('./logger');
 
 const rawPollInterval = (process.env.POLL_INTERVAL || '').toLowerCase();
 const POLL_INTERVAL = (rawPollInterval === 'off' || rawPollInterval === 'false' || rawPollInterval === 'disabled')

tests/integration/dashboard.test.js

@@ -225,7 +225,7 @@ function invalidatePollCache() {
     'poll:sab-queue', 'poll:sab-history',
     'poll:sonarr-queue', 'poll:sonarr-history', 'poll:sonarr-tags',
     'poll:radarr-queue', 'poll:radarr-history', 'poll:radarr-tags',
-    'poll:qbittorrent'
+    'poll:qbittorrent', 'poll:ombi-requests'
   ];
   for (const k of keys) cache.invalidate(k);
 }
@@ -349,6 +349,7 @@ describe('GET /api/dashboard/user-downloads', () => {
       expect(dl.arrQueueId).toBe(1002);
       expect(dl.arrType).toBe('sonarr');
       expect(dl.arrInstanceUrl).toBe(SONARR_BASE);
+      expect(dl.arrLink).toBe(SONARR_BASE + '/series/admin-show');
       expect(dl.downloadPath).toBeDefined();
     });
 
@@ -750,11 +751,13 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
 
-    // Mock getAllDownloads to return a download that doesn't qualify for blocklist
+    // Seed cache: queue record exists but has no import issues (non-admin cannot blocklist)
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    cache.set('poll:sonarr-queue', { records: [{
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
+      id: 1,
-      { arrQueueId: 1, arrType: 'sonarr', importIssues: [], qbittorrent: null }
+      title: 'My.Show.S01E01.720p',
-    ]);
+      trackedDownloadState: 'downloading',
+      trackedDownloadStatus: 'ok'
+    }] }, CACHE_TTL);
 
     const res = await request(app)
       .post('/api/dashboard/blocklist-search')
@@ -763,18 +766,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'key', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(403);
     expect(res.body.error).toMatch(/permission denied/i);
-    mockGetAllDownloads.mockRestore();
   });
 
-  it('returns 403 for non-admin when download not found in active downloads', async () => {
+  it('returns 403 for non-admin when download not found in arr queue cache', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
 
-    // Mock getAllDownloads to return empty array (download not found)
+    // Cache is already seeded empty by beforeEach; no queue record with id=1 exists
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([]);
-
     const res = await request(app)
       .post('/api/dashboard/blocklist-search')
       .set('Cookie', [...cookies, csrfCookie].join('; '))
@@ -782,7 +781,6 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(403);
     expect(res.body.error).toMatch(/download not found/i);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 200 for non-admin with import issues (qualifying condition)', async () => {
@@ -790,11 +788,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const { cookies, csrf } = await loginAs(app);
     const csrfCookie = cookies.find(c => c.startsWith('csrf_token='));
 
-    // Mock getAllDownloads to return a download with import issues (qualifies for blocklist)
+    // Seed cache: queue record with import issues — qualifies non-admin for blocklist
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    cache.set('poll:sonarr-queue', { records: [{
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
+      id: 1,
-      { arrQueueId: 1, arrType: 'sonarr', importIssues: ['Import error 1'], qbittorrent: null }
+      title: 'My.Show.S01E01.720p',
-    ]);
+      trackedDownloadState: 'importPending',
+      trackedDownloadStatus: 'warning',
+      statusMessages: [{ messages: ['Import error 1'] }]
+    }] }, CACHE_TTL);
 
     // Mock Sonarr DELETE and command endpoints
     nock(SONARR_BASE)
@@ -812,7 +813,6 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 400 when required fields are missing', async () => {
@@ -843,11 +843,8 @@ describe('POST /api/dashboard/blocklist-search', () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
+    // Seed the Sonarr queue cache so the permission lookup finds the record
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -864,18 +861,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('calls Radarr DELETE+command and returns ok:true', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
+    // Seed the Radarr queue cache so the permission lookup finds the record
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    cache.set('poll:radarr-queue', { records: [RADARR_QUEUE_RECORD] }, CACHE_TTL);
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 2001, arrType: 'radarr', importIssues: [], qbittorrent: null }
-    ]);
 
     nock(RADARR_BASE)
       .delete('/api/v3/queue/2001')
@@ -892,18 +885,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 2001, arrType: 'radarr', arrInstanceUrl: RADARR_BASE, arrInstanceKey: 'rk', arrContentId: 99, arrContentType: 'movie' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 502 when Sonarr DELETE request fails', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    // Mock getAllDownloads to return a matching download for admin
+    // Seed the Sonarr queue cache so the permission lookup finds the record
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -916,17 +905,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .set('X-CSRF-Token', csrf)
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentId: 501, arrContentType: 'episode' });
     expect(res.status).toBe(502);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('returns 200 OK when arrContentId is null but arrSeriesId is present (fallback SeriesSearch)', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    // Seed the Sonarr queue cache so the permission lookup finds the record
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -943,17 +929,14 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrSeriesId: 42, arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
   });
 
   it('triggers EpisodeSearch with multiple episode IDs when arrContentIds is provided', async () => {
     const app = createApp({ skipRateLimits: true });
     const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
 
-    const downloadClientRegistry = require('../../server/utils/downloadClients');
+    // Seed the Sonarr queue cache so the permission lookup finds the record
-    const mockGetAllDownloads = vi.spyOn(downloadClientRegistry, 'getAllDownloads').mockResolvedValue([
+    cache.set('poll:sonarr-queue', { records: [SONARR_QUEUE_RECORD] }, CACHE_TTL);
-      { arrQueueId: 1001, arrType: 'sonarr', importIssues: [], qbittorrent: null }
-    ]);
 
     nock(SONARR_BASE)
       .delete('/api/v3/queue/1001')
@@ -970,7 +953,42 @@ describe('POST /api/dashboard/blocklist-search', () => {
       .send({ arrQueueId: 1001, arrType: 'sonarr', arrInstanceUrl: SONARR_BASE, arrInstanceKey: 'sk', arrContentIds: [12, 13, 14], arrContentType: 'episode' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-    mockGetAllDownloads.mockRestore();
+  });
+
+  it('matches download correctly when arrQueueId is sent as a string but stored as a number in queue cache (type mismatch regression)', async () => {
+    // Regression test for issue #48 (v2): arrQueueId from the SPA DOM dataset is always
+    // a string, but the queue record id from the Radarr/Sonarr API cache is a number.
+    // Without String() casting the === comparison fails and returns 403.
+    const app = createApp({ skipRateLimits: true });
+    const { cookies, csrf, csrfCookie } = await getAuthHeaders(app);
+
+    // Seed Radarr queue with a numeric id (as Radarr API returns it)
+    cache.set('poll:radarr-queue', { records: [{
+      id: 9050001,
+      title: 'Project.Hail.Mary.2026.2160p',
+      movieId: 77,
+      trackedDownloadState: 'downloading',
+      trackedDownloadStatus: 'ok',
+      _instanceUrl: RADARR_BASE,
+      _instanceKey: 'rk'
+    }] }, CACHE_TTL);
+
+    nock(RADARR_BASE)
+      .delete('/api/v3/queue/9050001')
+      .query({ removeFromClient: 'true', blocklist: 'true' })
+      .reply(200, {});
+    nock(RADARR_BASE)
+      .post('/api/v3/command')
+      .reply(200, {});
+
+    const res = await request(app)
+      .post('/api/dashboard/blocklist-search')
+      .set('Cookie', [...cookies, csrfCookie].join('; '))
+      .set('X-CSRF-Token', csrf)
+      // arrQueueId sent as a STRING from the client (as the SPA DOM dataset does)
+      .send({ arrQueueId: '9050001', arrType: 'radarr', arrInstanceUrl: RADARR_BASE, arrInstanceKey: 'rk', arrContentId: 77, arrContentType: 'movie' });
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
   });
 });
 

tests/integration/ombi.test.js

@@ -856,7 +856,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .post('/api/v1/Settings/notifications/webhook', {
         id: 42,
         enabled: true,
-        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi`,
+        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`,
         applicationToken: 'test-ombi-key'
       })
       .reply(200, { success: true });
@@ -870,7 +870,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .expect(200);
     
     expect(res.body.success).toBe(true);
-    expect(res.body.webhookUrl).toBe(`${SOFARR_BASE}/api/webhook/ombi`);
+    expect(res.body.webhookUrl).toBe(`${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`);
     expect(res.body.applicationToken).toBe('test-ombi-key');
   });
 
@@ -882,7 +882,7 @@ describe('POST /api/ombi/webhook/enable', () => {
       .post('/api/v1/Settings/notifications/webhook', {
         id: 0,
         enabled: true,
-        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi`,
+        webhookUrl: `${SOFARR_BASE}/api/webhook/ombi?secret=test-webhook-secret`,
         applicationToken: 'test-ombi-key'
       })
       .reply(200, { success: true });
@@ -1014,10 +1014,16 @@ describe('POST /api/ombi/webhook/test', () => {
     expect(webhookScope.isDone()).toBe(true);
   });
 
-  it('handles webhook send errors gracefully', async () => {
+  it('handles webhook send errors gracefully when both public and loopback fail', async () => {
     nock(SOFARR_BASE)
       .post('/api/webhook/ombi')
       .reply(500, { error: 'Internal server error' });
+    nock('http://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(500, { error: 'Internal server error' });
+    nock('https://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(500, { error: 'Internal server error' });
     
     const { cookies, csrfToken } = await authenticateUser(app, 'TestUser', false);
     
@@ -1029,4 +1035,26 @@ describe('POST /api/ombi/webhook/test', () => {
     
     expect(res.body.error).toBe('Failed to test Ombi webhook');
   });
+
+  it('falls back to local loopback when public URL request fails', async () => {
+    nock(SOFARR_BASE)
+      .post('/api/webhook/ombi')
+      .replyWithError('Connection refused');
+    nock('http://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(200, { received: true });
+    nock('https://127.0.0.1:3001')
+      .post('/api/webhook/ombi')
+      .reply(200, { received: true });
+    
+    const { cookies, csrfToken } = await authenticateUser(app, 'TestUser', false);
+    
+    const res = await request(app)
+      .post('/api/ombi/webhook/test')
+      .set('Cookie', cookies)
+      .set('X-CSRF-Token', csrfToken)
+      .expect(200);
+    
+    expect(res.body.success).toBe(true);
+  });
 });

tests/integration/webhook.test.js

@@ -156,6 +156,24 @@ describe('POST /api/webhook/sonarr — secret validation', () => {
     const res = await postSonarr(app, SONARR_GRAB, 'anything');
     expect(res.status).toBe(401);
   });
+
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post(`/api/webhook/sonarr?secret=${VALID_SECRET}`)
+      .send(SONARR_GRAB);
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/sonarr?secret=wrong-query-secret')
+      .send(SONARR_GRAB);
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Unauthorized');
+  });
 });
 
 describe('POST /api/webhook/radarr — secret validation', () => {
@@ -171,6 +189,23 @@ describe('POST /api/webhook/radarr — secret validation', () => {
     const res = await postRadarr(app, RADARR_GRAB, 'bad-secret');
     expect(res.status).toBe(401);
   });
+
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post(`/api/webhook/radarr?secret=${VALID_SECRET}`)
+      .send(RADARR_GRAB);
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/radarr?secret=wrong-query-secret')
+      .send(RADARR_GRAB);
+    expect(res.status).toBe(401);
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -548,6 +583,40 @@ describe('POST /api/webhook/ombi', () => {
     expect(res.body.error).toBe('Unauthorized');
   });
 
+  it('returns 200 when secret is provided as a query parameter instead of header', async () => {
+    const app = makeApp();
+    nock('https://ombi.test')
+      .get('/api/v1/Request/movie')
+      .reply(200, []);
+    nock('https://ombi.test')
+      .get('/api/v1/Request/tv')
+      .reply(200, []);
+
+    const res = await request(app)
+      .post(`/api/webhook/ombi?secret=${VALID_SECRET}`)
+      .send({
+        notificationType: 'NewRequest',
+        requestId: 127,
+        requestedUser: 'gordon',
+        title: 'Query Movie',
+        type: 'Movie',
+        requestStatus: 'Pending',
+        applicationUrl: 'https://ombi.test',
+        requestedDate: '2026-05-23T20:40:00.000Z'
+      });
+    expect(res.status).toBe(200);
+    expect(res.body.received).toBe(true);
+  });
+
+  it('returns 401 when secret is provided as an invalid query parameter', async () => {
+    const app = makeApp();
+    const res = await request(app)
+      .post('/api/webhook/ombi?secret=wrong-query-secret')
+      .send({ notificationType: 'NewRequest', requestId: 1 });
+    expect(res.status).toBe(401);
+    expect(res.body.error).toBe('Unauthorized');
+  });
+
   it('returns 400 when notificationType is missing or invalid', async () => {
     const app = makeApp();
     const res = await postOmbi(app, { requestId: 1 });

tests/unit/clients/OmbiClient.test.js

@@ -336,4 +336,47 @@ describe('OmbiClient', () => {
       expect(result).toBe(false);
     });
   });
+
+  describe('getUsers', () => {
+    it('should return user array for successful request', async () => {
+      const mockUsers = [
+        { id: '1', userName: 'Gordon' },
+        { id: '2', userName: 'Alice' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .reply(200, mockUsers);
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual(mockUsers);
+    });
+
+    it('should return empty array on API error', async () => {
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .reply(500, { error: 'Internal Server Error' });
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual([]);
+    });
+
+    it('should return empty array on network error', async () => {
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .matchHeader('ApiKey', apiKey)
+        .replyWithError('Network error');
+
+      const client = new OmbiClient(baseUrl, apiKey);
+      const result = await client.getUsers();
+
+      expect(result).toEqual([]);
+    });
+  });
 });

tests/unit/clients/OmbiRetriever.test.js

@@ -766,4 +766,70 @@ describe('OmbiRetriever', () => {
       expect(stats.age).toBeGreaterThanOrEqual(0);
     });
   });
+
+  describe('hydration logic', () => {
+    it('should hydrate requestedUser when missing but requestedUserId is present', async () => {
+      const mockMovies = [
+        { id: 1, title: 'Movie 1', requestedUserId: 'gordon-id', requestedUser: null }
+      ];
+      const mockTvShows = [];
+      const mockUsers = [
+        { id: 'gordon-id', userName: 'Gordon', alias: 'G-Man' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Request/movie')
+        .reply(200, mockMovies);
+
+      nock(baseUrl)
+        .get('/api/v1/Request/tv')
+        .reply(200, mockTvShows);
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .reply(200, mockUsers);
+
+      const retriever = new OmbiRetriever(instanceConfig);
+      const result = await retriever.getMovieRequests();
+
+      expect(result).toHaveLength(1);
+      expect(result[0].requestedUser).toBeDefined();
+      expect(result[0].requestedUser.userName).toBe('Gordon');
+      expect(result[0].requestedUser.alias).toBe('G-Man');
+    });
+
+    it('should not overwrite non-empty requestedUser object', async () => {
+      const mockMovies = [
+        {
+          id: 1,
+          title: 'Movie 1',
+          requestedUserId: 'gordon-id',
+          requestedUser: { userName: 'ExistingGordon', alias: 'ExistingG' }
+        }
+      ];
+      const mockTvShows = [];
+      const mockUsers = [
+        { id: 'gordon-id', userName: 'Gordon', alias: 'G-Man' }
+      ];
+
+      nock(baseUrl)
+        .get('/api/v1/Request/movie')
+        .reply(200, mockMovies);
+
+      nock(baseUrl)
+        .get('/api/v1/Request/tv')
+        .reply(200, mockTvShows);
+
+      nock(baseUrl)
+        .get('/api/v1/Identity/Users')
+        .reply(200, mockUsers);
+
+      const retriever = new OmbiRetriever(instanceConfig);
+      const result = await retriever.getMovieRequests();
+
+      expect(result).toHaveLength(1);
+      expect(result[0].requestedUser.userName).toBe('ExistingGordon');
+      expect(result[0].requestedUser.alias).toBe('ExistingG');
+    });
+  });
 });