From 541941ceefd7ef267a7fb86bab4344f8561bb959 Mon Sep 17 00:00:00 2001 From: Peter Stone Date: Mon, 29 Jun 2026 00:47:14 +0000 Subject: feat: register /api/widget routes behind WIDGET_TOKEN bearer auth Add widget API routes for Android widget integration. Routes use bearer token authentication and are placed outside session-protected groups. GET /api/widget returns today's timeline items; POST /api/widget/complete completes Todoist tasks. Routes only register if WIDGET_TOKEN env var is set. Co-Authored-By: Claude Sonnet 4.6 --- cmd/dashboard/main.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'cmd/dashboard/main.go') diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go index 7eb5761..133b684 100644 --- a/cmd/dashboard/main.go +++ b/cmd/dashboard/main.go @@ -193,6 +193,13 @@ func main() { prefix: "/scout", }) } + if cfg.HawaiiURL != "" { + mounts = append(mounts, serviceMount{ + name: "hawaii", + upstream: cfg.HawaiiURL, + prefix: "/hawaii", + }) + } // Rate limiter for auth endpoints authRateLimiter := appmiddleware.NewRateLimiter(config.AuthRateLimitRequests, config.AuthRateLimitWindow) @@ -348,6 +355,17 @@ func main() { r.Get("/ws/notifications", h.HandleWebSocket) }) + // Widget API — bearer token auth, no session required + if cfg.WidgetToken != "" { + widgetAuth := func(next http.Handler) http.Handler { + return handlers.WidgetAuthMiddleware(cfg.WidgetToken, next) + } + r.With(widgetAuth).Get("/api/widget", h.HandleWidgetGet) + r.With(widgetAuth).Post("/api/widget/complete", handlers.HandleWidgetComplete(todoistClient)) + } else { + log.Println("WIDGET_TOKEN not set — /api/widget disabled") + } + // Start server addr := ":" + cfg.Port srv := &http.Server{ -- cgit v1.2.3