From 0bfd615c0dcd13b30b15bdf0aa98e23669f55cd2 Mon Sep 17 00:00:00 2001
From: Lauris <lauris.vanrijn@vitecsoftware.com>
Date: Sat, 30 May 2026 21:06:10 +0200
Subject: [PATCH] fix(auth): sign session cookie store with sessionSecret, not
 clientId

cookie-parser was initialized with settings.clientId (the Plex client
UUID), but express-session signs connect.sid with settings.sessionSecret.
The secrets differ, so cookie-parser's signature check on connect.sid
fails, the cookie is dropped from req.cookies, and the OpenAPI validator
rejects every authenticated request with "cookie 'connect.sid' required"
even though the browser is sending it correctly.

This also matches the signing secret used by the OIDC code-verifier and
state cookies that are stored via res.cookie(..., {signed: true}), which
read back through req.signedCookies during the callback.
---
 server/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/index.ts b/server/index.ts
index 8a1ec6abb..ddceb981d 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -162,7 +162,7 @@ app
     if (settings.network.trustProxy) {
       server.enable('trust proxy');
     }
-    server.use(cookieParser(settings.clientId));
+    server.use(cookieParser(settings.sessionSecret));
     server.use(express.json());
     server.use(express.urlencoded({ extended: true }));
     server.use((req, _res, next) => {