BUG: Ombi webhook authentication fails due to custom header requirement #47

Closed
opened 2026-05-24 21:15:52 +01:00 by Gandalf · 1 comment
Owner

Bug Description

Ombi webhooks are currently failing to authenticate. In server/routes/webhook.js, all /api/webhook/* endpoints (sonarr, radarr, and ombi) require the custom X-Sofarr-Webhook-Secret HTTP header to be present and match the configured SOFARR_WEBHOOK_SECRET.

However, Ombi's built-in Webhook notification agent does not support adding custom HTTP headers to its outgoing webhook notification requests. This makes it impossible for Ombi to successfully authenticate using the current header-only validation mechanism.

Root Cause

In server/routes/webhook.js, validateWebhookSecret(req) only inspects req.get('X-Sofarr-Webhook-Secret'):

function validateWebhookSecret(req) {
  const expectedSecret = getWebhookSecret();
  const providedSecret = req.get('X-Sofarr-Webhook-Secret');
  ...
}

Since Ombi sends standard JSON payloads to a configured URL without custom headers, it cannot supply this header, resulting in a 401 Unauthorized response.

Proposed Remediation

  1. Fallback Authentication Method: Update validateWebhookSecret(req) in server/routes/webhook.js to look for the secret in either the X-Sofarr-Webhook-Secret header OR as a secret query parameter (req.query.secret).
  2. Registration Update: Update the /webhook/enable route in server/routes/ombi.js to automatically append ?secret=${webhookSecret} to the registered webhookUrl sent to Ombi.
  3. OpenAPI Spec & JSDoc Updates: Document the query-parameter fallback authentication option in server/openapi.yaml and the @openapi JSDoc comments in server/routes/webhook.js.
  4. Integration Testing: Add new integration tests in tests/integration/webhook.test.js to assert that authentication via query parameters succeeds, and that invalid query parameters are rejected.
### Bug Description Ombi webhooks are currently failing to authenticate. In `server/routes/webhook.js`, all `/api/webhook/*` endpoints (sonarr, radarr, and ombi) require the custom `X-Sofarr-Webhook-Secret` HTTP header to be present and match the configured `SOFARR_WEBHOOK_SECRET`. However, Ombi's built-in Webhook notification agent does not support adding custom HTTP headers to its outgoing webhook notification requests. This makes it impossible for Ombi to successfully authenticate using the current header-only validation mechanism. ### Root Cause In `server/routes/webhook.js`, `validateWebhookSecret(req)` only inspects `req.get('X-Sofarr-Webhook-Secret')`: ```javascript function validateWebhookSecret(req) { const expectedSecret = getWebhookSecret(); const providedSecret = req.get('X-Sofarr-Webhook-Secret'); ... } ``` Since Ombi sends standard JSON payloads to a configured URL without custom headers, it cannot supply this header, resulting in a `401 Unauthorized` response. ### Proposed Remediation 1. **Fallback Authentication Method**: Update `validateWebhookSecret(req)` in `server/routes/webhook.js` to look for the secret in either the `X-Sofarr-Webhook-Secret` header OR as a `secret` query parameter (`req.query.secret`). 2. **Registration Update**: Update the `/webhook/enable` route in `server/routes/ombi.js` to automatically append `?secret=${webhookSecret}` to the registered `webhookUrl` sent to Ombi. 3. **OpenAPI Spec & JSDoc Updates**: Document the query-parameter fallback authentication option in `server/openapi.yaml` and the `@openapi` JSDoc comments in `server/routes/webhook.js`. 4. **Integration Testing**: Add new integration tests in `tests/integration/webhook.test.js` to assert that authentication via query parameters succeeds, and that invalid query parameters are rejected.
Gandalf added the Kind/Bug
Priority
Critical
1
labels 2026-05-24 21:15:52 +01:00
Author
Owner

Resolved in commit 7b9c895888.

Resolved in commit 7b9c8958886ec3507e7b3b2b98d2c2c59955f906.
Gandalf added the Area/Proxy label 2026-05-28 11:58:28 +01:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Gandalf/sofarr#47