Add browser-friendly remote token bootstrap

This commit is contained in:
Dymas
2026-05-17 14:59:48 +02:00
parent c91db90c1b
commit 47480efa30
6 changed files with 130 additions and 4 deletions
+9 -1
View File
@@ -2,7 +2,7 @@
A local web UI for a system-wide `ani-cli` install.
Current version: `0.30.3`
Current version: `0.30.4`
## Project Layout
@@ -223,6 +223,14 @@ Non-local clients must then send either:
- `Authorization: Bearer <token>`
- `X-AniCli-Web-Token: <token>`
For browser access from another machine, you can also open the app once with:
```text
http://YOUR-HOST:8421/?token=your-token-here
```
The server will set an HTTP-only cookie and redirect to the same page without the token in the URL, so normal browser navigation and API polling continue to work afterward.
When the app is placed behind a loopback reverse proxy, forwarded external client IP headers such as `X-Forwarded-For` are also treated as non-local, so proxied internet or LAN traffic still needs the token.
This keeps the queue, config, and watchlist APIs safer when the app is intentionally exposed beyond localhost.