feat: Starred areas/places + personalized activity feed

[escapedcat]

Problem

• Area/community pages now show combined activity (edits, comments, boosts) but users have to navigate to each area
  individually
• No way to "follow" areas of interest and see a merged feed
• Vision: "starred areas, kept server side, access across devices. Personalized feeds merging watched areas."

What already exists

• user + access_token tables with Argon2 hashing and Bearer token auth
• REST Auth extractor — any handler can read the authenticated user
• RPC add_user + create_api_key — account creation and token issuance
• GET /v4/activity?area={id} — area-scoped activity feed
• 22 admin/editor accounts, system is proven

Proposed approach

Auth: Use existing BTC Map accounts. No new auth system.

Sign-up UX (gradual onboarding):

• Anonymous browsing as usual
• Click "star" on area/place → sign-up modal (username + password)
• Account created, token in localStorage, star completes
• Token keeps them logged in on return visits
• No password recovery for MVP — low stakes, can re-star
• Nostr "Sign in with" can be added later as alternative login

New DB tables:

• starred_area (user_id, area_id)
• starred_place (user_id, element_id)

New API endpoints:

• PUT/DELETE /v4/starred/areas/{area_id} — star/unstar
• PUT/DELETE /v4/starred/places/{element_id} — star/unstar
• GET /v4/starred/areas + GET /v4/starred/places — list
• GET /v4/activity?starred=true — personalized feed

Frontend

• Star buttons on area and merchant pages
• "My Feed" page merging starred area activity
• Login/sign-up modal triggered on first star

Future extensions (not MVP)

• "Sign in with Nostr" — verify npub, link to BTC Map account
• Auto-generated throwaway accounts (WoS/Robosats style)
• Password recovery via email or Nostr
• Premium features (unlimited comments, custom username/avatar, sponsor badges)
• Starred places in personalized feed

Open questions

• Starred data private or public?
• Bearer token expiry?
• Android app — same gradual flow? Coordinate timing?
• Single API branch for tables + endpoints + feed?

[bubelov]

We can get away with denormalized schema by adding starred_elements and starred_areas as either comma separated TEXT or int array JSON fields in https://github.com/teambtcmap/btcmap-api/blob/master/src/db/main/user/schema.rs

[bubelov]

Not sure about naming though, what are the canditates?

• starred
• bookmarked
• watched
• something else?

[escapedcat]

• fav? favourtie? faved?

[bubelov]

In Google Maps, the button is called "Save", and it shows the user a few sub-groups (Favourites, Starred Places, Want to go, St Petersburg Trip, and Travel Plans).

I think 4/5 of those sub-groups are auto generated, but I don't like the complexity of it, and many to many spaghetti, even as a regular user.

"Save" sounds good though, also something most users expect since Google sets the standard of mapping UI. I guess I'm in favor of single-step "Save" action, saving them as saved_elements/areas. It also better explains the need for a sign up, to save stuff on the server

[bubelov]

We can also replace sign-up modal with randomly generated username/password pair (can be generated both server side or client side, but server side sounds better). That would generate a throwaway account and we can tell them to save the credentials or ignore it, if single device use without backup is what they need