Add browser-friendly remote token bootstrap
This commit is contained in:
@@ -2,7 +2,7 @@
|
||||
|
||||
A local web UI for a system-wide `ani-cli` install.
|
||||
|
||||
Current version: `0.30.3`
|
||||
Current version: `0.30.4`
|
||||
|
||||
## Project Layout
|
||||
|
||||
@@ -223,6 +223,14 @@ Non-local clients must then send either:
|
||||
- `Authorization: Bearer <token>`
|
||||
- `X-AniCli-Web-Token: <token>`
|
||||
|
||||
For browser access from another machine, you can also open the app once with:
|
||||
|
||||
```text
|
||||
http://YOUR-HOST:8421/?token=your-token-here
|
||||
```
|
||||
|
||||
The server will set an HTTP-only cookie and redirect to the same page without the token in the URL, so normal browser navigation and API polling continue to work afterward.
|
||||
|
||||
When the app is placed behind a loopback reverse proxy, forwarded external client IP headers such as `X-Forwarded-For` are also treated as non-local, so proxied internet or LAN traffic still needs the token.
|
||||
|
||||
This keeps the queue, config, and watchlist APIs safer when the app is intentionally exposed beyond localhost.
|
||||
|
||||
Reference in New Issue
Block a user