fix(debrid): handle HEAD requests on playback route

[Roboman1723]

Replace the blanket 405 for all HEAD requests with a lightweight HEAD handler on the playback route that validates the encrypted token and file info without hitting the debrid provider, then returns 200 with Content-Type: video/mp4.

Summary by CodeRabbit

• Bug Fixes
  • HEAD requests to the playback endpoint now undergo the same validation as GET and receive a 200 with video content-type when valid, allowing clients to probe resource metadata without starting playback or being rejected.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0b686f21-d9f0-4c4f-b83a-32b645394cca

📥 Commits

Reviewing files that changed from the base of the PR and between aac56ee and 9b3c405.

📒 Files selected for processing (1)

• packages/server/src/routes/api/debrid.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/server/src/routes/api/debrid.ts

---

Walkthrough

Replaces middleware that rejected HEAD requests with a dedicated HEAD handler for the playback route. The handler parses/looks up fileInfo, decrypts and validates encryptedStoreAuth (ServiceAuth), then returns 200 with Content-Type: video/mp4; errors are forwarded to the error handler.

Changes

HEAD Endpoint Support

Layer / File(s)	Summary
HEAD playback route with validation packages/server/src/routes/api/debrid.ts	Removes blanket HEAD rejection middleware and adds a dedicated HEAD handler for the playback endpoint that performs request validation (fileInfo parsing/lookup, store auth decryption, ServiceAuth validation) before responding with Content-Type: video/mp4 and 200 status.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A rabbit peeks at the playback gate,
HEAD once halted, now checks its state,
Decrypts a token, counts the file,
Replies with headers, calm and agile. 🐇✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: replacing generic HEAD request blocking with a dedicated HEAD handler on the playback route.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/server/src/routes/api/debrid.ts`:
- Around line 36-84: The HEAD handler for
'/playback/:encryptedStoreAuth/:fileInfo/:metadataId/:filename' currently never
validates the metadataId so it can return 200 when the GET route would reject
with "Metadata not found"; update the handler to perform the same metadata
existence check used by the GET metadata gate (i.e., validate
req.params.metadataId using the same lookup/function the GET route uses) and if
the metadata is missing call next(new APIError(constants.ErrorCode.BAD_REQUEST,
undefined, 'Metadata not found')) and return; keep the existing FileInfoSchema
and ServiceAuthSchema parsing and decryption logic but add the metadataId lookup
(using the same store/get function or helper used by the GET route) before
sending the 200 response so HEAD and GET stay aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e1c505ad-0f7d-495e-b485-7ec4265d6230

📥 Commits

Reviewing files that changed from the base of the PR and between 2a61779 and aac56ee.

📒 Files selected for processing (1)

• packages/server/src/routes/api/debrid.ts