fixes lol

openresty/nginx.conf

@@ -760,6 +760,35 @@ http {
             add_header Cache-Control "public, max-age=300" always;
         }
 
+        # Public watch room endpoints - guests can view playlist and add videos if allowed by settings
+        # Must be before the catch-all /api/ block to avoid JWT validation
+        location ~ ^/api/watch/[0-9]+/(playlist|state)$ {
+            limit_req zone=api_limit burst=20 nodelay;
+
+            # CORS headers
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Content-Type" always;
+            add_header Access-Control-Allow-Credentials "true" always;
+
+            if ($request_method = 'OPTIONS') {
+                add_header Content-Length 0;
+                add_header Content-Type text/plain;
+                return 204;
+            }
+
+            proxy_pass http://backend;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Cookie $http_cookie;
+
+            # Don't cache API responses
+            expires -1;
+            add_header Cache-Control "no-store, no-cache" always;
+        }
+
         # Other API endpoints (authenticated)
         location /api/ {
             limit_req zone=api_limit burst=20 nodelay;