Login with Plex causes HTTP 401 Unauthorized and leads to ban in fail2ban

[symb10sis]

Description

When trying to login to overseerr with Plex signin there are many 401 unauthorized entries in the nginx unauthorized.log. This causes fail2ban to block the IP, thus users are not able to login.

There is a similar issue that got closed, but I didn't see any fix/commit linked to it:
#3535

Version

1.33.2

Steps to Reproduce

1. Go to overseer login page for example https://overseer.example.org
2. Click on Sign in with Plex
3. 401 unauthorized errors appear in nginx unauthorized.log
4. Get banned from fail2ban because of too many unauthorized entries in nginx unauthorized.log

Screenshots

No response

Logs

# nginx unauthorized.log
198.51.100.10 - - [02/Feb/2025:12:17:52 +0100] "GET /api/v1/auth/me HTTP/2.0" 401 123 "https://overseerr.example.org/login" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36"
198.51.100.10 - - [02/Feb/2025:12:17:52 +0100] "GET /api/v1/auth/me HTTP/2.0" 401 123 "https://overseerr.example.org/login" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36"
198.51.100.10 - - [02/Feb/2025:12:18:16 +0100] "GET /api/v1/auth/me HTTP/2.0" 401 123 "https://overseerr.example.org/login/plex/loading" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36"
198.51.100.10 - - [02/Feb/2025:12:18:16 +0100] "GET /api/v1/auth/me HTTP/2.0" 401 123 "https://overseerr.example.org/login/plex/loading" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36"
198.51.100.10 - - [02/Feb/2025:12:19:44 +0100] "GET /api/v1/auth/me HTTP/2.0" 401 123 "https://overseerr.example.org/login" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Mobile Safari/537.36"

# fail2ban logs
2025-02-02 12:17:53,000 fail2ban.filter         [824]: INFO    [nginx-unauthorized] Found 198.51.100.10 - 2025-02-02 12:17:52
2025-02-02 12:17:53,003 fail2ban.filter         [824]: INFO    [nginx-unauthorized] Found 198.51.100.10 - 2025-02-02 12:17:52
2025-02-02 12:18:17,020 fail2ban.filter         [824]: INFO    [nginx-unauthorized] Found 198.51.100.10 - 2025-02-02 12:18:16
2025-02-02 12:18:17,021 fail2ban.filter         [824]: INFO    [nginx-unauthorized] Found 198.51.100.10 - 2025-02-02 12:18:16
2025-02-02 12:19:44,272 fail2ban.filter         [824]: INFO    [nginx-unauthorized] Found 198.51.100.10 - 2025-02-02 12:19:44
2025-02-02 12:19:44,440 fail2ban.actions        [824]: NOTICE  [nginx-unauthorized] Ban 198.51.100.10

Platform

smartphone

Device

Pixel 7

Operating System

Android 15

Browser

Firefox 134.0.2, Chrome 132.0.6834.163

Additional Context

No response

Code of Conduct

• I agree to follow Overseerr's Code of Conduct

[didyouexpectthat]

api/v1/auth/me checks whether you are logged in or not by checking cookies. If you have two tabs open and log in with tab one, tab two will automatically log in, too.

The suggested failregex for fail2ban is located at: https://docs.overseerr.dev/extending-overseerr/fail2ban but I see you are probably proxying through nginx. Is adding access_log off; in the nginx servers' proxy config for Overseerr and use Overseerr's log with fail2ban instead an option?