BUG: Ombi webhook authentication fails due to custom header requirement #47
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
Ombi webhooks are currently failing to authenticate. In
server/routes/webhook.js, all/api/webhook/*endpoints (sonarr, radarr, and ombi) require the customX-Sofarr-Webhook-SecretHTTP header to be present and match the configuredSOFARR_WEBHOOK_SECRET.However, Ombi's built-in Webhook notification agent does not support adding custom HTTP headers to its outgoing webhook notification requests. This makes it impossible for Ombi to successfully authenticate using the current header-only validation mechanism.
Root Cause
In
server/routes/webhook.js,validateWebhookSecret(req)only inspectsreq.get('X-Sofarr-Webhook-Secret'):Since Ombi sends standard JSON payloads to a configured URL without custom headers, it cannot supply this header, resulting in a
401 Unauthorizedresponse.Proposed Remediation
validateWebhookSecret(req)inserver/routes/webhook.jsto look for the secret in either theX-Sofarr-Webhook-Secretheader OR as asecretquery parameter (req.query.secret)./webhook/enableroute inserver/routes/ombi.jsto automatically append?secret=${webhookSecret}to the registeredwebhookUrlsent to Ombi.server/openapi.yamland the@openapiJSDoc comments inserver/routes/webhook.js.tests/integration/webhook.test.jsto assert that authentication via query parameters succeeds, and that invalid query parameters are rejected.Resolved in commit
7b9c895888.