From dbb0d382deaafd3519c9b4ab7583cf58884897e8 Mon Sep 17 00:00:00 2001
From: Leonardo Bishop <me@leonardobishop.net>
Date: Wed, 16 Jul 2025 19:25:52 +0100
Subject: Add api auth

---
 api/handler/site.go | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'api/handler/site.go')

diff --git a/api/handler/site.go b/api/handler/site.go
index 0a2ac85..abdc0de 100644
--- a/api/handler/site.go
+++ b/api/handler/site.go
@@ -1,8 +1,10 @@
 package handler
 
 import (
+	"crypto/subtle"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/LMBishop/scrapbook/pkg/config"
 	"github.com/LMBishop/scrapbook/pkg/index"
@@ -11,6 +13,13 @@ import (
 
 func UploadSiteVersion(mainConfig *config.MainConfig, index *index.SiteIndex) func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
+		token := strings.TrimPrefix("Bearer ", r.Header.Get("Authorization"))
+
+		if len(mainConfig.Command.Secret) == 0 || subtle.ConstantTimeCompare([]byte(token), []byte(mainConfig.Command.Secret)) != 1 {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+
 		site := r.PathValue("site")
 		reader, err := r.MultipartReader()
 		if err != nil {
-- 
cgit v1.2.3-70-g09d2