fix(auth): resolve Plex OAuth client ID mismatch

[0xSysR3ll]

Description

This PR fixes an issue where Plex Oauth login could fail because the browser and server were using different client identifiers.
The browser generated its own ID (plex-client-id, stored in localStorage), while the server used clientId (stored in settings.json. Now both use the same value: plexClientIdentifier

As part of this PR, I also discovered a security issue:
clientId was being used to sign sessions even though it is a public value.

To address this, this PR introduces a new sessionSecret dedicated to session signing.

Warning

Introducing this new session secret will obviously invalidate all existing sessions, meaning all users will be logged out.

• Fixes Plex auth popup does not use the stored clientId #2736

How Has This Been Tested?

(Not tested yet but in theory should work).

Screenshots / Logs (if applicable)

Checklist:

• I have read and followed the contribution guidelines.
• Disclosed any use of AI (see our policy)
• I have updated the documentation accordingly.
• All new and existing tests passed.
• Successful build pnpm build
• Translation keys pnpm i18n:extract
• Database migration (if required)

Summary by CodeRabbit

• Improvements
  • Plex authentication now uses server-provided client identifiers for more consistent, reliable logins.
  • Sessions use dedicated, server-generated secrets for stronger session protection.
  • Plex account linking includes explicit client identification and improved error handling for clearer outcomes.
  • Popup handling and environment checks are more robust, reducing authentication failures and improving reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a server-generated sessionSecret, exposes plexClientIdentifier in public settings, switches Express session secret to use it, and updates Plex OAuth to require & use the server-provided client identifier (removing client-side UUID generation).

Changes

Cohort / File(s)	Summary
Session secret (tests & server) cypress/config/settings.cypress.json, server/index.ts	Added sessionSecret to cypress test settings; express-session secret switched from clientId to sessionSecret.
Public API & types seerr-api.yml, server/interfaces/api/settingsInterfaces.ts	Added plexClientIdentifier (UUID string) to public API schema and PublicSettingsResponse; marked plexClientIdentifier required.
Backend settings & persistence server/lib/settings/index.ts	Added optional persisted sessionSecret, generate+persist 32-byte hex sessionSecret when missing, expose plexClientIdentifier mapped from clientId, added get sessionSecret() getter.
Frontend defaults & context src/context/SettingsContext.tsx, src/pages/_app.tsx	Added plexClientIdentifier to default/fallback public settings so field exists before API load.
Plex OAuth flow & utils src/utils/plex.ts, src/hooks/usePlexLogin.ts, src/components/.../UserLinkedAccountsSettings/index.tsx	Removed client-side UUID/localStorage generation; made initializeHeaders() and login() require plexClientIdentifier; tightened popup handling, error flows, and environment checks; updated callers to pass plexClientIdentifier.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(200,220,255,0.5)
    participant UserBrowser as User Browser
    participant Frontend as Frontend (React)
  end
  rect rgba(200,255,200,0.5)
    participant Backend as Backend (API)
    participant SettingsStore as Settings/DB
  end
  rect rgba(255,220,200,0.5)
    participant Plex as Plex Auth
  end

  UserBrowser->>Frontend: Click "Authenticate with Plex"
  Frontend->>Frontend: read currentSettings.plexClientIdentifier
  Frontend->>Plex: Open popup & call PlexOAuth.login(plexClientIdentifier)
  Plex-->>Frontend: User approves, returns authToken (popup)
  Frontend->>Backend: POST /api/v1/plex/linked-accounts { authToken }
  Backend->>SettingsStore: Read settings.plexClientIdentifier / sessionSecret
  Backend->>Plex: Complete/validate auth using server plexClientIdentifier
  Plex-->>Backend: Success -> account linked
  Backend-->>Frontend: 200 OK
  Frontend->>Frontend: revalidateUser()

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(link-account): fix error-message override #2547 — modifies UserLinkedAccountsSettings Plex login call and error handling; closely related to frontend login changes.

Suggested labels

bug

Suggested reviewers

• fallenbagel
• gauthier-th
• M0NsTeRRR

Poem

🐰 I found the secret tucked in store,
The client id now comes from core.
Popups sync and tokens flow,
No more scattered IDs to sow.
Hops of joy — auth works once more! 🥕

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(auth): resolve Plex OAuth client ID mismatch' accurately describes the main change - unifying client identifier handling between browser and server for Plex OAuth.
Linked Issues check	✅ Passed	All code changes address issue #2736: the PR passes the stored plexClientIdentifier to Plex auth flow, implements server-side storage in settings, and updates client-side usage to resolve the client ID mismatch preventing successful OAuth.
Out of Scope Changes check	✅ Passed	The sessionSecret addition addresses session signing security (clientId was inappropriately used); this is a necessary companion change. All other modifications are in-scope for unified client identifier handling.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@seerr-api.yml`:
- Around line 713-717: Update the OpenAPI schema to make plexClientIdentifier
required: in the PublicSettings schema add "plexClientIdentifier" to its
required array (and ensure the plexClientIdentifier property remains defined
with type: string and format: uuid). Locate the PublicSettings definition and
modify the required list so the contract enforces presence of
plexClientIdentifier used by the Plex OAuth client.

In `@server/interfaces/api/settingsInterfaces.ts`:
- Line 51: The FullPublicSettings type and the fullPublicSettings getter are
missing the required plexClientIdentifier property, causing
/api/v1/settings/public to omit the Plex OAuth client id; update the
FullPublicSettings type to include plexClientIdentifier: string and modify the
fullPublicSettings getter in server/lib/settings/index.ts (function/getter
fullPublicSettings) to read the stored Plex client identifier (e.g., from the
same settings source used for other public fields) and include
plexClientIdentifier in the returned object so the public settings endpoint
always contains the identifier.

In `@server/lib/settings/index.ts`:
- Around line 392-393: Replace uses of randomUUID() for sessionSecret with a
32-byte high-entropy hex string: use crypto.randomBytes(32).toString('hex')
wherever sessionSecret is generated (e.g., the constructor default, the load()
fallback that sets sessionSecret, and the migration that seeds sessionSecret).
Add or ensure an import of randomBytes from 'crypto' (or use
require('crypto').randomBytes) in the modules where you change it so the new
32-byte hex secret is produced instead of a UUID.

In `@src/utils/plex.ts`:
- Around line 82-84: Wrap the call to initializeHeaders inside login in a
try/catch so that if header initialization throws (e.g., missing
plexClientIdentifier) you catch the error, call the same popup cleanup/close
routine used by preparePopup to close the pre-opened popup, then rethrow or
handle the error before returning; specifically update the login method (which
currently calls this.initializeHeaders and this.getPin) to catch initialization
failures, invoke the popup close/cleanup method used elsewhere in this class
(the one that undoes preparePopup), and only proceed to this.getPin on success.
- Around line 31-35: Replace unsafe global checks that use "if (!window)" with a
typeof check to avoid ReferenceError: in initializeHeaders (and the other
similar check in this file) change the condition to use "typeof window ===
'undefined'" (or the negated form) so the code safely detects non-browser
environments; update both the initializeHeaders function and the second
occurrence at line 162 to use this typeof check.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ccb23e80-37d8-49bc-9bcb-7d989a4cc2a4

📥 Commits

Reviewing files that changed from the base of the PR and between dbe1fca and 401563c.

📒 Files selected for processing (11)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• server/lib/settings/migrations/0009_migrate_session_secret.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

[Copilot]

Pull request overview

Fixes Plex OAuth failures caused by mismatched client identifiers between browser and server, and improves session security by moving cookie signing to a dedicated secret.

Changes:

• Browser-side Plex OAuth now uses a server-provided plexClientIdentifier instead of generating/storing its own localStorage ID.
• Introduces sessionSecret in settings and uses it for express-session signing (replacing clientId).
• Updates public settings API/types/OpenAPI spec and Cypress settings fixture to include the new fields.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/utils/plex.ts	Removes per-browser generated Plex client ID; requires identifier to be passed in and uses it in headers/login.
src/hooks/usePlexLogin.ts	Retrieves plexClientIdentifier from settings and passes it into plexOAuth.login.
src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx	Passes settings-provided plexClientIdentifier into Plex OAuth when linking accounts.
src/context/SettingsContext.tsx	Extends default settings to include plexClientIdentifier.
src/pages/_app.tsx	Extends initial public settings shape to include plexClientIdentifier.
server/lib/settings/index.ts	Adds sessionSecret, exposes plexClientIdentifier via public settings, and ensures secrets are generated if missing.
server/lib/settings/migrations/0009_migrate_session_secret.ts	Adds a settings migration to populate sessionSecret for existing installs.
server/index.ts	Switches session signing secret from clientId to sessionSecret.
server/interfaces/api/settingsInterfaces.ts	Updates PublicSettingsResponse to include plexClientIdentifier.
seerr-api.yml	Documents plexClientIdentifier in the public settings schema.
cypress/config/settings.cypress.json	Adds sessionSecret to test settings fixture.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

src/utils/plex.ts (1)

82-89: ⚠️ Potential issue | 🟡 Minor

Close the pre-opened popup when getPin() fails too.

preparePopup() runs before login(), but the new try only covers initializeHeaders(). If the PIN request rejects, the popup stays stuck on /login/plex/loading.

Suggested fix

   public async login(plexClientIdentifier: string): Promise<string> {
     try {
       this.initializeHeaders(plexClientIdentifier);
+      await this.getPin();
     } catch (e) {
       this.closePopup();
       throw e;
     }
-    await this.getPin();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/utils/plex.ts` around lines 82 - 89, The login method currently only
closes the pre-opened popup if initializeHeaders throws; wrap the await
this.getPin() call (or add a try/catch around it) so that if getPin() rejects
you call this.closePopup() and rethrow the error; update the login function
(referencing login, initializeHeaders, getPin, and closePopup) to ensure the
popup is closed on getPin failure while leaving successful flows unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/lib/settings/index.ts`:
- Around line 759-760: The getter get sessionSecret currently returns
this.data.sessionSecret! which can be undefined when load(overrideSettings)
returned early; update the override-path in load(overrideSettings) to
normalize/backfill the sessionSecret before returning (e.g., set
this.data.sessionSecret = this.data.sessionSecret ?? generateSessionSecret() or
call the same backfill/normalize helper used for the normal load path), and
ensure the same fix is applied for the other affected getters around 798-800 so
get sessionSecret and related getters never return undefined.

---

Duplicate comments:
In `@src/utils/plex.ts`:
- Around line 82-89: The login method currently only closes the pre-opened popup
if initializeHeaders throws; wrap the await this.getPin() call (or add a
try/catch around it) so that if getPin() rejects you call this.closePopup() and
rethrow the error; update the login function (referencing login,
initializeHeaders, getPin, and closePopup) to ensure the popup is closed on
getPin failure while leaving successful flows unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3507b71f-f311-47e7-bd7e-8b95da132343

📥 Commits

Reviewing files that changed from the base of the PR and between 401563c and c8756e5.

📒 Files selected for processing (11)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• server/lib/settings/migrations/0009_migrate_session_secret.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

✅ Files skipped from review due to trivial changes (5)

• src/pages/_app.tsx
• server/index.ts
• cypress/config/settings.cypress.json
• src/context/SettingsContext.tsx
• server/interfaces/api/settingsInterfaces.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• src/hooks/usePlexLogin.ts
• server/lib/settings/migrations/0009_migrate_session_secret.ts
• seerr-api.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/utils/plex.ts (1)

82-117: ⚠️ Potential issue | 🟠 Major

Fail fast when the popup never opens.

If window.open() is blocked or preparePopup() was skipped, Lines 111-117 still fall through to pinPoll(). pinPoll() treats this.popup === undefined as “not closed”, so the login flow polls forever instead of returning an actionable error.

💡 Suggested fix

     if (!this.plexHeaders || !this.pin) {
       throw new Error('Unable to call login if class is not initialized.');
     }
@@
-    if (this.popup) {
-      this.popup.location.href = `https://app.plex.tv/auth/#!?${this.encodeData(
-        params
-      )}`;
-    }
+    if (!this.popup || this.popup.closed) {
+      this.closePopup();
+      throw new Error(
+        'Unable to open Plex login popup. Please allow popups and try again.'
+      );
+    }
+
+    this.popup.location.href = `https://app.plex.tv/auth/#!?${this.encodeData(
+      params
+    )}`;
 
     return this.pinPoll();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/utils/plex.ts` around lines 82 - 117, The login method can hang because
if the popup wasn't created (this.popup is undefined due to window.open being
blocked or preparePopup skipped), the method proceeds to call pinPoll which
treats undefined popup as "not closed" and polls forever; update login (after
getPin and before calling pinPoll) to check that this.popup exists and is not
closed, and if it doesn't exist or is blocked throw a descriptive error (e.g.,
"Popup blocked or not opened") and call closePopup as needed so the caller gets
an actionable failure instead of an infinite poll; reference the login, getPin,
pinPoll, this.popup and closePopup symbols when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/utils/plex.ts`:
- Around line 82-117: The login method can hang because if the popup wasn't
created (this.popup is undefined due to window.open being blocked or
preparePopup skipped), the method proceeds to call pinPoll which treats
undefined popup as "not closed" and polls forever; update login (after getPin
and before calling pinPoll) to check that this.popup exists and is not closed,
and if it doesn't exist or is blocked throw a descriptive error (e.g., "Popup
blocked or not opened") and call closePopup as needed so the caller gets an
actionable failure instead of an infinite poll; reference the login, getPin,
pinPoll, this.popup and closePopup symbols when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1421cd12-3b1f-4140-82b3-ac73c86447f6

📥 Commits

Reviewing files that changed from the base of the PR and between c8756e5 and e2626eb.

📒 Files selected for processing (11)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• server/lib/settings/migrations/0009_migrate_session_secret.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

✅ Files skipped from review due to trivial changes (5)

• server/interfaces/api/settingsInterfaces.ts
• src/pages/_app.tsx
• src/hooks/usePlexLogin.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• server/index.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• server/lib/settings/migrations/0009_migrate_session_secret.ts
• src/context/SettingsContext.tsx
• seerr-api.yml

[fallenbagel]

Overall looks good. A few comments

[coderabbitai]

♻️ Duplicate comments (1)

server/lib/settings/index.ts (1)

759-761: ⚠️ Potential issue | 🟡 Minor

sessionSecret can still be undefined on the override load path.

load(overrideSettings) returns before the missing-secret backfill runs, so the non-null assertion in get sessionSecret() can still return undefined at runtime for override payloads without sessionSecret.

Suggested fix

   public async load(
     overrideSettings?: AllSettings,
     raw = false
   ): Promise<Settings> {
     if (overrideSettings) {
       this.data = overrideSettings;
+      if (!this.data.sessionSecret) {
+        this.data.sessionSecret = randomBytes(32).toString('hex');
+      }
       return this;
     }

Also applies to: 798-800

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/lib/settings/index.ts` around lines 759 - 761, The sessionSecret
getter uses a non-null assertion but load(overrideSettings) can return before
the backfill runs, so change get sessionSecret() to safely handle undefined:
either throw a clear error if this.data.sessionSecret is missing or
synchronously invoke the existing backfill/ensure routine (e.g., call an
ensureSessionSecret()/backfillSessionSecret() helper or run the same logic used
after load) and then return the value; do the same fix for the other affected
getter referenced in the comment (replace the `!` with a guarded check and
recovery/throw). Ensure you reference the sessionSecret getter and
load(overrideSettings) behavior when implementing the fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@server/lib/settings/index.ts`:
- Around line 759-761: The sessionSecret getter uses a non-null assertion but
load(overrideSettings) can return before the backfill runs, so change get
sessionSecret() to safely handle undefined: either throw a clear error if
this.data.sessionSecret is missing or synchronously invoke the existing
backfill/ensure routine (e.g., call an
ensureSessionSecret()/backfillSessionSecret() helper or run the same logic used
after load) and then return the value; do the same fix for the other affected
getter referenced in the comment (replace the `!` with a guarded check and
recovery/throw). Ensure you reference the sessionSecret getter and
load(overrideSettings) behavior when implementing the fix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 85c9e0ee-0d24-4c5d-8375-68c1a5f1dd65

📥 Commits

Reviewing files that changed from the base of the PR and between e2626eb and a289811.

📒 Files selected for processing (11)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• server/lib/settings/migrations/0009_migrate_session_secret.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

✅ Files skipped from review due to trivial changes (3)

• src/pages/_app.tsx
• server/index.ts
• server/lib/settings/migrations/0009_migrate_session_secret.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• server/interfaces/api/settingsInterfaces.ts
• src/hooks/usePlexLogin.ts
• src/context/SettingsContext.tsx

[coderabbitai]

🧹 Nitpick comments (1)

cypress/config/settings.cypress.json (1)

3-3: Consider using a hex-format test secret for consistency with production.

The production code generates sessionSecret as a 64-character hex string via randomBytes(32).toString('hex'). While express-session accepts any string and this won't cause functional issues, using a consistent format in test fixtures can help catch format-related bugs earlier.

Suggested change

-  "sessionSecret": "a1b2c3d4-e5f6-4789-a012-3456789abcde",
+  "sessionSecret": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",

Note: The static analysis hint flagging this as an "API key" is a false positive — this is an intentional test fixture value, not a leaked production secret.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cypress/config/settings.cypress.json` at line 3, Replace the test fixture
sessionSecret value with a 64-character hex string to match production format
(generated by randomBytes(32).toString('hex')), i.e., update the "sessionSecret"
entry so its value is a 64-character hex string (characters 0-9a-f) to ensure
format parity with production; reference the "sessionSecret" key when making the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@cypress/config/settings.cypress.json`:
- Line 3: Replace the test fixture sessionSecret value with a 64-character hex
string to match production format (generated by
randomBytes(32).toString('hex')), i.e., update the "sessionSecret" entry so its
value is a 64-character hex string (characters 0-9a-f) to ensure format parity
with production; reference the "sessionSecret" key when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 77793b42-4cd6-4255-a3c3-e35e2d4b3e65

📥 Commits

Reviewing files that changed from the base of the PR and between a289811 and fd3e279.

📒 Files selected for processing (10)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

✅ Files skipped from review due to trivial changes (3)

• src/pages/_app.tsx
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• src/hooks/usePlexLogin.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• seerr-api.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/lib/settings/index.ts`:
- Around line 389-392: The constructor currently pre-populates sessionSecret
which prevents the backfill in load()/mergeSettings() from detecting a missing
value; modify the backfill logic (the check around this.data.sessionSecret
inside load()/mergeSettings()) to generate a new sessionSecret there (e.g., call
randomBytes(32).toString('hex') when sessionSecret is falsy), set change = true,
and call save() so the generated secret is persisted; alternatively remove
sessionSecret generation from the constructor so the backfill detection sees it
as missing—update either the constructor or the load()/mergeSettings() backfill
branch and ensure save() is invoked when a new sessionSecret is created.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2be591da-7f5f-4366-9297-d73cd77a7a5e

📥 Commits

Reviewing files that changed from the base of the PR and between a289811 and 90c1168.

📒 Files selected for processing (10)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

✅ Files skipped from review due to trivial changes (6)

• server/index.ts
• src/pages/_app.tsx
• server/interfaces/api/settingsInterfaces.ts
• src/context/SettingsContext.tsx
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• cypress/config/settings.cypress.json

🚧 Files skipped from review as they are similar to previous changes (2)

• src/hooks/usePlexLogin.ts
• seerr-api.yml

[coderabbitai]

♻️ Duplicate comments (1)

src/utils/plex.ts (1)

111-119: ⚠️ Potential issue | 🟡 Minor

Treat a closed popup the same as a missing popup.

preparePopup() and login() are separated by a 1.5s timeout in src/hooks/usePlexLogin.ts:27-31, so this.popup can still be defined but already closed by the time this branch runs. In that case we still try to drive a dead window instead of returning the actionable popup error immediately.

Suggested change

-    if (!this.popup) {
+    if (!this.popup || this.popup.closed) {
+      this.closePopup();
       throw new Error(
         'Unable to open the Plex login window. Please allow popups for this site and try again.'
       );
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/utils/plex.ts` around lines 111 - 119, The login flow can attempt to use
a popup that exists but is already closed between preparePopup() and login();
update the login method (where this.popup is referenced) to treat a closed popup
like a missing one by checking this.popup.closed (or equivalent) before setting
this.popup.location.href and, if closed, throw the same actionable Error
('Unable to open the Plex login window. Please allow popups for this site and
try again.') so the caller receives the correct popup error instead of trying to
drive a dead window.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@src/utils/plex.ts`:
- Around line 111-119: The login flow can attempt to use a popup that exists but
is already closed between preparePopup() and login(); update the login method
(where this.popup is referenced) to treat a closed popup like a missing one by
checking this.popup.closed (or equivalent) before setting
this.popup.location.href and, if closed, throw the same actionable Error
('Unable to open the Plex login window. Please allow popups for this site and
try again.') so the caller receives the correct popup error instead of trying to
drive a dead window.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b71ff1c0-480a-450d-9c23-349c2454d1b0

📥 Commits

Reviewing files that changed from the base of the PR and between 90c1168 and a955d65.

📒 Files selected for processing (10)

• cypress/config/settings.cypress.json
• seerr-api.yml
• server/index.ts
• server/interfaces/api/settingsInterfaces.ts
• server/lib/settings/index.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• src/context/SettingsContext.tsx
• src/hooks/usePlexLogin.ts
• src/pages/_app.tsx
• src/utils/plex.ts

✅ Files skipped from review due to trivial changes (5)

• src/pages/_app.tsx
• server/interfaces/api/settingsInterfaces.ts
• cypress/config/settings.cypress.json
• server/index.ts
• src/context/SettingsContext.tsx

🚧 Files skipped from review as they are similar to previous changes (3)

• src/hooks/usePlexLogin.ts
• src/components/UserProfile/UserSettings/UserLinkedAccountsSettings/index.tsx
• seerr-api.yml

[fallenbagel]

Success!