feat: Seerr QC login, password-login hide, auto-URL scheme, new ENV vars | fix: Set-Cookie

[v3DJG6GL]

Pull Request Description

• This PR adds QuickConnect authentication support to the login flow Seerr (see PR feat: add jellyfin/emby quick connect authentication seerr-team/seerr#2212), which enables passwordless authentication for Seerr.
• Furthermore, it adds several smaller UX changes/improvements: Direct Jellyfin QC settings link, copy-paste QC code, a hide PW menu option and some other small UX changes.
• I've additionally added a fix for the issue mentioned here: Jellyseerr local login fails from web (proxmox helper script); works fine from android #710 (comment)
• Additionally, I've experimented with setting custom headers through ENV vars. Although I am not sure whether the additional code changes are really worth it tbh...

---

Features

Seerr QuickConnect Integration (All Plattforns)

• Add QuickConnect API endpoints and models (lib/seerr/seerr_models.dart)
• Add QuickConnect service methods (lib/providers/seerr_service_provider.dart)
• Add QuickConnect tab to Seerr connection dialog
• Auto-restart QC polling after in-app browser closes
• Add 5-minute QC polling timeout
• Clear QC secrets on dispose

UI / UX (All Plattforns)

• Add "Open Jellyfin QuickConnect" link to QuickConnect modals
• Copy QuickConnect code to clipboard on tap (Addresses [Feature Request] QuickConnect: copy code to clipboard with a tap/click #653)
• Auto-add URL scheme for Jellyfin and Seerr URLs (try https first, then http)
• Add hidePasswordLogin client setting to hide password fields
• Rename "Local Server URL" to "Local Jellyfin URL"

Docker: New Environment Variables

• SEERR_URL: Pre-fills and locks the Seerr URL in settings (Addresses Add JELLYSEERR_URL env var to Fladder Docker image (like BASE_URL) #688)
• HIDE_PASSWORD_LOGIN: Hides password fields, showing only QuickConnect (partially Addresses [Feature Request] [Docker/self-hosted]: hide/disable jellyfin login form with ENV variable #652)
• SEERR_CUSTOM_HEADERS: JSON object of headers injected server-side for all users.
  • Headers are injected server-side via an nginx reverse proxy (/seerr-proxy/) so header values should never reach the client.

---

Issue Being Fixed

• Seerr login on web (Fixes Jellyseerr local login fails from web (proxmox helper script); works fine from android #710):
  • Credential and QC login on web failed with "No session cookie returned by server" because browsers never expose Set-Cookie to JavaScript
  • Use BrowserClient with withCredentials = true so the browser manages session cookies natively
  • Skip manual cookie extraction on web; use sentinel value to signal browser-managed auth

---

Screenshots (Container version)

Login Screen (with SEERR_URL & BASE_URL set)

Login Screen QuickConnect modal

Login Screen (with SEERR_URL & BASE_URL set & HIDE_PASSWORD_LOGIN set to true)

Settings: Hide Password login toggle (disable since ENV HIDE_PASSWORD_LOGIN is set to true)

Settings: Seerr Login QuickConnect modal (Seerr URL locked since ENV SEERR_URL is set)

Seerr Login QuickConnect modal: QuickConnect button pressed

Seerr Login QuickConnect modal: Successfully logged in

---

Notes

AI Disclosure

Developed with assistance from Claude Code (Opus 4.6). The AI helped me identify the related files, code parts and proposed possible code modifications and fixes.
I've manually reviewed, cleaned, refactored and hardened the code the best I could, but since my Dart capabilities are not that good, I see this PR more as a proposal/idea.
A Proper code review is required in any case - also especially since this PR is also focused on authentication...
Feel free to close/reject that PR if non of my ideas/implementatons match the project standards. I am also willing to split this PR into smaller parts, in case some of the implementations are worth considering :)
I started implementing these features and fixes mainly for my own purposes. Since the Seerr QC PR has not been merged yet, it is currently only usable by people running development/custom builds....

Custom Header Environment Variables

I initially thought that adding custom header ENV Var could be useful, but I am not sure whether I am overcomplicated my implementation or whether there are really no easier solutions:
Example Setup :

• Reverse Proxy: NPM (NGINX)
• Authentication Provider: Authelia
• Seerr: Behind Authelia auth layer
• Fladder: Exposed to internet
• I've added a new authz endpoint and defined a BasicAuthentication user that is allowed to bypass SSO Auth layer:

  server:
  [...]
  endpoints:
      authz:
      auth-request-basic:
          implementation: 'AuthRequest'
          authn_strategies:
          - name: 'HeaderAuthorization'
              schemes:
              - 'Basic'
          - name: 'CookieSession'
  [...]
  

  access_control:
  default_policy: two_factor
  rules:
      - domain: seerr.DOMAIN.TLD
      policy: one_factor
      subject:
          - 'group:lldap_service_accounts'
  

• Then I've configured NPM (NGINX) accordingly:

  location /authelia {
      internal;
      set $upstream_authelia http://authelia:9091/api/authz/auth-request-basic;
  

However, this only prevents the WebUI from being exposed directly to the internet. The Seerr API is proxied to Fladder and reachable via /seerr-proxy/. Of course, still with Seerr authentication in front of.

Ideally, the API endpoint should only be accessible to logged-in Fladder users.
But I might be overcomplicating things. ^___^

To-Do's

• Proper code review
• Maybe split into several smaller PRs - as mentioned in the Contribution Guidelines?
• Testing the builds on all plattforms
  • Android
  • Android TV
  • Linux AppImage
  • Linux
  • Windows
  • macOS

Checklist

• If a new package was added, did you ensure it works for all supported platforms? Is the package well maintained
• Check that any changes are related to the issue at hand.

[PartyDonut]

Hi, thanks for having a go at helping out. I also appreciate you being upfront about having used AI.
While in general I'm not against it I would prefer it to be used as an assistant/tool, so no vibe coding (not saying this is vibe coded). But just my 5 cents on the whole AI thing.

Besides the point I am going to close this because it's a bit much for one PR. If you could separate it into the following features then we can go and review from there.

• Seerr quick-connect,
  Keep in mind I will probably not merge this until the Seerr team has merged their end of the implementation. As to not cause confusion for everyone using the stable Seerr builds.

• Seerr local login fix

The Seerr environment variables is actually something I also worked on, so would prefer to merge that. It is very similar in implementation though.

For future reference it's probably best to keep PR's either small or check in before hand how/if we want to implement something.

[v3DJG6GL]

Hi and thank you for your response :)

Yes, I thought so too — it might be better to split this PR.

• Seerr quick-connect,
  Keep in mind I will probably not merge this until the Seerr team has merged their end of the implementation. As to not cause confusion for everyone using the stable Seerr builds.

Of course! I mainly implemented it for my own setup, which involves running my own custom-built Seer container with this PR already merged.
I'll create a separate PR for that.

• Seerr local login fix

Same for this, I'll separate it...

How about the other smaller features I've added? Should I also open separate PRs for these?

• Add "Open Jellyfin QuickConnect" link to QuickConnect modals
• Copy QuickConnect code to clipboard on tap (Addresses [Feature Request] QuickConnect: copy code to clipboard with a tap/click #653)
• Auto-add URL scheme for Jellyfin and Seerr URLs (try https first, then http)
• Add hidePasswordLogin client setting to hide password fields
• HIDE_PASSWORD_LOGIN: Hides password fields, showing only QuickConnect (partially Addresses [Feature Request] [Docker/self-hosted]: hide/disable jellyfin login form with ENV variable #652)
• Rename "Local Server URL" to "Local Jellyfin URL"

[PartyDonut]

Hi and thank you for your response :)

Yes, I thought so too — it might be better to split this PR.

• Seerr quick-connect,
  Keep in mind I will probably not merge this until the Seerr team has merged their end of the implementation. As to not cause confusion for everyone using the stable Seerr builds.

Of course! I mainly implemented it for my own setup, which involves running my own custom-built Seer container with this PR already merged. I'll create a separate PR for that.

• Seerr local login fix

Same for this, I'll separate it...

How about the other smaller features I've added? Should I also open separate PRs for these?

* Add "Open Jellyfin QuickConnect" link to QuickConnect modals

* Copy QuickConnect code to clipboard on tap (Addresses [[Feature Request] QuickConnect: copy code to clipboard with a tap/click #653](https://github.com/DonutWare/Fladder/discussions/653))

* Auto-add URL scheme for Jellyfin and Seerr URLs (try https first, then http)

* Add `hidePasswordLogin` client setting to hide password fields

* `HIDE_PASSWORD_LOGIN`: Hides password fields, showing only QuickConnect (**_partially_ Addresses** [[Feature Request] [Docker/self-hosted]: hide/disable jellyfin login form with ENV variable #652](https://github.com/DonutWare/Fladder/discussions/652))

* Rename "Local Server URL" to "Local Jellyfin URL"

• Copy QuickConnect code to clipboard on tap (Addresses [Feature Request] QuickConnect: copy code to clipboard with a tap/click #653)
• Auto-add URL scheme for Jellyfin and Seerr URLs (try https first, then http)

These two should be fine.

I get wanting those others implemented but I would like to keep it simple for the most part and not add to much features all at the same time.