Context
The wxyc-ios-64 iOS app currently embeds API credentials (Discogs key/secret, Spotify client ID/secret) in its binary via the #ObfuscatedString macro. These should not live in client code. Backend-Service already has full Discogs and Spotify integration with rate limiting and caching.
Solution
Add server-side proxy endpoints that allow the iOS app to call these APIs through Backend-Service behind anonymous device session auth, removing the need for secrets in the iOS binary.
New Endpoints
| Endpoint |
Auth |
Purpose |
GET /config |
None (public) |
Bootstrap config: PostHog key, request-o-matic URL |
GET /proxy/artwork/search |
Anonymous session |
Artwork lookup via ArtworkFinder |
GET /proxy/metadata/album |
Anonymous session |
Album metadata (Discogs + Spotify + Apple Music + search URLs) |
GET /proxy/metadata/artist |
Anonymous session |
Artist bio + Wikipedia from Discogs |
GET /proxy/entity/resolve |
Anonymous session |
Resolve Discogs entity by type + ID |
GET /proxy/spotify/track/:id |
Anonymous session |
Spotify track metadata |
Rate Limiting
All /proxy/* endpoints: 120 requests per 60-second window per user ID (from anonymous session). Disabled in test environment.
Implementation
- Controllers delegate to existing service layer (MetadataService providers, ArtworkFinder, DiscogsService)
- No new external API integrations needed
- 25 unit tests covering all endpoints, validation, error handling, and cache headers
- Cache-Control headers on all responses (public for /config, private for /proxy/*)
Part of
This is PR 1 of 5 in the iOS secrets migration project. Subsequent PRs will update wxyc-shared types and the iOS app to use these endpoints.
Context
The
wxyc-ios-64iOS app currently embeds API credentials (Discogs key/secret, Spotify client ID/secret) in its binary via the#ObfuscatedStringmacro. These should not live in client code. Backend-Service already has full Discogs and Spotify integration with rate limiting and caching.Solution
Add server-side proxy endpoints that allow the iOS app to call these APIs through Backend-Service behind anonymous device session auth, removing the need for secrets in the iOS binary.
New Endpoints
GET /configGET /proxy/artwork/searchGET /proxy/metadata/albumGET /proxy/metadata/artistGET /proxy/entity/resolveGET /proxy/spotify/track/:idRate Limiting
All
/proxy/*endpoints: 120 requests per 60-second window per user ID (from anonymous session). Disabled in test environment.Implementation
Part of
This is PR 1 of 5 in the iOS secrets migration project. Subsequent PRs will update wxyc-shared types and the iOS app to use these endpoints.