docs: changelog v1.8.1 — FeaturedEventsAPI token gate fix

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CHANGELOG.md

@@ -5,6 +5,27 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), version
 
 ---
 
+## [1.8.1] — 2026-04-06
+
+### Fixed
+- **`FeaturedEventsAPI` now works without authentication** — `POST /api/events/featured-events/` had `AllowAny` permission but still called `validate_token_and_get_user()`, causing the endpoint to return HTTP 200 + `{"status":"error","message":"token and username required"}` for unauthenticated requests (e.g. the desktop hero slider)
+  - Removed the `validate_token_and_get_user()` call entirely — the endpoint is public by design and requires no token
+  - Also tightened the queryset to `event_status='published'` (was `is_featured=True` only) to match `ConsumerFeaturedEventsView` behaviour and avoid returning draft/cancelled events
+  - Root cause: host Nginx routes `/api/` → `eventify-backend` container (port 3001), not `eventify-django` (port 8085); the `validate_token_and_get_user` gate in this container was silently blocking all hero slider requests
+
+---
+
+## [1.8.0] — 2026-04-04
+
+### Added
+- **`BulkUserPublicInfoView`** (`POST /api/user/bulk-public-info/`)
+  - Internal endpoint for the Node.js gamification server to resolve user details
+  - Accepts `{ emails: [...] }` (max 500), returns `{ users: { email: { display_name, district, eventify_id } } }`
+  - Used for leaderboard data bridge (syncing user names/districts into gamification DB)
+  - CSRF-exempt, returns only public-safe fields (no passwords, tokens, or sensitive PII)
+
+---
+
 ## [1.7.0] — 2026-04-04
 
 ### Added