CrossWatch v0.9.21

Because security is a top priority for CrossWatch, this release is being released earlier than planned to address an issue in the authentication status endpoint. It also adds Recent Activity and new authentication method for MDBList Device Code authentication this is the new default.

✨ Highlights

• Added: Recent Activity dashboard widget for recently scrobbled movies and episodes.
• Added: “View all” activity history with search and filters.
• Added: Activity method labels so entries show whether they came from Watcher, Webhook, or failed activity.
• Added: Provider/profile details in the full activity history view to make multi-profile setups easier to audit.
• Added: UI setting to show or hide Recent Activity. Default is enabled.
• Added: UI settings to choose how many Recent Activity and Recent Sync rows appear on the dashboard.
• Added: Maintenance action for clearing the local activity log.
• Added: MDBList Device Code authentication as the preferred connection method.
• Added: MDBList API key mode remains available for existing and legacy setups.

🔒 Security

• Fixed: /api/app-auth/status no longer exposes active session metadata to unauthenticated clients.
• Fixed: Unauthenticated clients can no longer enumerate session IP addresses, User-Agent strings, internal session IDs, or session timestamps.
• Hardened: POST /api/maintenance/reset-all-default is no longer reachable through an unauthenticated setup-lock bypass.
• Hardened: Legacy clean-reset recovery now requires setup credentials first, then runs through an authenticated session.
• Hardened: Unauthenticated /api/config/meta responses no longer include local filesystem details such as config path, file size, or modification time.

🔧 Fixes & Improvements

• Changed: Updated the version to v0.9.21.