Proxy Seerr requests through Jellyfin plugin

[alexkahler]

It would be optimal if Seerr requests could be proxied through a Wholphin plugin like discussed in #598
This way users won't have to set up url, username, and password via a cumbersome tv remote. It would also be enable users who have locked down their public-facing apps with zero trust environments that require email mfa to access to provide this feature.

Similar implementation: https://github.com/Moonfin-Client/AndroidTV-FireTV?tab=readme-ov-file#jellyseerr-integration

[voc0der]

I would be happy to turn this into an issue if you think it's a good idea, and then issue a PR, as obviously much of the work is done. I still need to do through testing of all routes and trim the fat, and get this to muster, but the idea is not just an idea. It works locally on my systems seamlessly.

The problem:

• Seerr server may be protected by OIDC on the official hostname.
• Seerr's internal address might not be accessible to the client for Zero Trust Architecture reasons.
• Using user/password is already dated for OIDC users and shouldn't be used, since we want to ideally disable that authentication method, not force it legacy-forward.
• Seerr login within Wholphin is a heavy lift for non-technical users and unless the server admin is doing this for them, I bet adoption rate is low.

The solution:

• Install a Jellyfin plugin- it's simple and essentially passes traffic (mostly) straight through (essentially like Moonfin did), but at the server level. Has safeguards, e.g. needs jellyfin token, and needs to match a seerr linked account.
  https://github.com/voc0der/jellyfin-seerr-proxy
• Then, in Wholphin, we detect if the plugin exists (POST on the exposed endpoint, we already know the path, since it's on Jellyfin), and autoconfigure in certain states; "upon jellyfin login", and "upon configure jellyfin within seerr integration config". To lessen the footprint of it even being able to probe. We store this as an login type but it is streamlined into jellyfin user path.

Show me what you got:
main...voc0der:Wholphin:main So far.
I'm trying to keep this plugin agnostic, so someone other than me can do this too. Jellyfin just needs to expose a path. This could make it easier to migrate to a Wholphin community plugin later if that route is pursued, but this way it keeps it simple for now.

In my environment, it works, as I stated, but it needs more quality checking, especially by the author, and someone other than me to have input.

In the end, this creates a turn key experience for the user so that's worth considering. And most importantly, it lets Jellyfin internally communicate server to server with Seerr, instead of creating a mess of networking rules for relatives to see internal services which they shouldn't.

I was going to make this a new discussion but I see I'm late to the party.

Edit #2 - After going down the rabbit hole, and getting to the end, there's one wrinkle. The Seerr API does not expose any endpoint that actually allows a user to create a pending request (one that happens if the user does not have Auto Approve). Meaning that at this present time, you cannot 1:1 mimic the permissions in Seerr with the proxy. We need to wait. The current plugin implementation is probably a good start.

[voc0der]

damontecres/jellyfin-plugin-wholphin#3