docs: document public watchlist
This commit is contained in:
11
README.md
11
README.md
@@ -168,6 +168,17 @@ Configuration is loaded from environment variables, and a local `.env` file is r
|
||||
|
||||
</details>
|
||||
|
||||
### Public Watchlist JSON
|
||||
|
||||
`GET /api/public/users/{user_id}/watchlist` returns a versioned, agent-friendly JSON view of a
|
||||
user's complete watchlist. It includes status summaries, episode progress,
|
||||
added/completed/last-watched dates, and localized titles. Add `?download=1` to receive the same
|
||||
response as a `watchlist-{user_id}.json` attachment; the watchlist page's export action uses this
|
||||
URL.
|
||||
|
||||
This endpoint is intentionally unauthenticated. A deployment that should keep watchlist and
|
||||
playback data private must restrict access to `/api/public/` at the network or reverse-proxy layer.
|
||||
|
||||
### Repository Map
|
||||
|
||||
| Path | Responsibility |
|
||||
|
||||
@@ -55,6 +55,10 @@ dependency monitoring.
|
||||
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
|
||||
secrets, provider tokens, session data, or production databases to the repository.
|
||||
|
||||
The read-only `/api/public/users/{user_id}/watchlist` endpoint intentionally exposes watchlist
|
||||
statuses, episode progress, and watchlist dates without authentication. Restrict `/api/public/` at
|
||||
the network or reverse-proxy layer when that data should not be public.
|
||||
|
||||
## Dependency Security
|
||||
|
||||
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal
|
||||
|
||||
Reference in New Issue
Block a user