X-Api-Key not working for movie/tv title detail pages

[hacki11]

I'm using jellyseerr behind a traefik reverse proxy and I want to use the X-Api-Key authentication instead of form based authentication.
This is working fine for the v1/api calls and also for most of the website content like discover, settings, etc. but it is failing if I click on a movie or tv.

Examplary failing endpoint:
https://myhost/_next/data/IWKNvCMssobNUGUtHTJxq/tv/2710.json?tvId=2710
I'll get a HTTP 307 redirect status code to /login and the log of jellyseerr is saying:

AxiosError: Request failed with status code 403

data: {
jellyseerr  |       status: 403,
jellyseerr  |       error: 'You do not have permission to access this endpoint'
jellyseerr  |     }

The log also says it wants to get the endpoint: 'http://localhost:5055/api/v1/tv/2710' which is in the end working completely fine with X-Api-Key. So it seems this _next endpoint is somehow not respecting this X-Api-Key header.

To test this, I use a browser extension, to add the custom header X-Api-Key with the jellyseerr api key as value.
Not using X-Api-Key but form based authentication with my jellyfin user works completely fine.

Is this working for you?

[hacki11]

I just found this piece
https://github.com/Fallenbagel/jellyseerr/blob/7af193b8f65e32c06ed5b7ca5cb21234f28f06fc/src/pages/tv/%5BtvId%5D/index.tsx#L20

http://localhost:${process.env.PORT || 5055}/api/v1/tv/${ctx.query.tvId}`,
    {
      headers: ctx.req?.headers?.cookie
        ? { cookie: ctx.req.headers.cookie }
        : undefined,
    }

It looks like only a cookie is forwarded to the endpoint but not the X-Api-Key

[fallenbagel]

Have you looked at our api-docs (http://localhost:5055/api-docs)?
Tv/movie end points work perfectly with x-api-key through reverse proxy.

Here's an example endpoint:
http://localhost:5055/api/v1/tv/76479?language=en

curl -X 'GET'  'https://localhost:5055/api/v1/tv/76479?language=en' -H 'accept: application/json' -H 'X-Api-Key: thisisanxapikey'

And here's the output:

[hacki11]

Yes, and the endpoint you are mentioning is working completely fine if I call it directly. What I'm talking about is the website and it fails if you click on a movie or tv poster if you authenticate only with X-Api-Key. It uses this _next endpoint I mentioned which seems to call the endpoint you mentioned by itself and this seems to fail. Perhaps bc it doesn't use the header.

Can you reproduce this on your side?

[fallenbagel]

Yes, and the endpoint you are mentioning is working completely fine if I call it directly. What I'm talking about is the website and it fails if you click on a movie or tv poster if you authenticate only with X-Api-Key. It uses this _next endpoint I mentioned which seems to call the endpoint you mentioned by itself and this seems to fail. Perhaps bc it doesn't use the header.

Can you reproduce this on your side?

There is a _next endpoint because this is a nextjs app.

X-api-key is used for tools looking to access the api only.

[hacki11]

Yeah, kind of reasonable. I had the hope it would also work für Web UI as most of the stuff actually works, only the detail pages seem not to be.
Nevertheless, thanks for clarification