docs: document public watchlist

This commit is contained in:
2026-06-29 13:39:42 +02:00
parent be71ec91c8
commit ed7dfea834
2 changed files with 15 additions and 0 deletions

View File

@@ -168,6 +168,17 @@ Configuration is loaded from environment variables, and a local `.env` file is r
</details> </details>
### Public Watchlist JSON
`GET /api/public/users/{user_id}/watchlist` returns a versioned, agent-friendly JSON view of a
user's complete watchlist. It includes status summaries, episode progress,
added/completed/last-watched dates, and localized titles. Add `?download=1` to receive the same
response as a `watchlist-{user_id}.json` attachment; the watchlist page's export action uses this
URL.
This endpoint is intentionally unauthenticated. A deployment that should keep watchlist and
playback data private must restrict access to `/api/public/` at the network or reverse-proxy layer.
### Repository Map ### Repository Map
| Path | Responsibility | | Path | Responsibility |

View File

@@ -55,6 +55,10 @@ dependency monitoring.
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
secrets, provider tokens, session data, or production databases to the repository. secrets, provider tokens, session data, or production databases to the repository.
The read-only `/api/public/users/{user_id}/watchlist` endpoint intentionally exposes watchlist
statuses, episode progress, and watchlist dates without authentication. Restrict `/api/public/` at
the network or reverse-proxy layer when that data should not be public.
## Dependency Security ## Dependency Security
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal