From c318cfd120141127a9db2343d7c98d3b938b756a Mon Sep 17 00:00:00 2001
From: Frank Tovar <mail@franktovar.de>
Date: Thu, 29 Jan 2026 01:18:34 +0100
Subject: [PATCH] Validate admin key on register

---
 API.md                     | 2 +-
 Endpoints/AuthEndpoints.cs | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/API.md b/API.md
index be7bef7..424be66 100644
--- a/API.md
+++ b/API.md
@@ -7,7 +7,7 @@ POST /api/auth/register
 POST /api/auth/login  
 POST /api/auth/logout
 
-- Register accepts optional `adminKey`; when it matches `ADMIN_PASSWORD`, the account is marked `IsAdmin=true` and can use admin APIs.
+- Register accepts optional `adminKey`; when it matches `ADMIN_PASSWORD`, the account is marked `IsAdmin=true` and can use admin APIs. If an `adminKey` is supplied but wrong (or ADMIN_PASSWORD unset), registration returns 400.
 
 ## State
 GET /api/state (public)
diff --git a/Endpoints/AuthEndpoints.cs b/Endpoints/AuthEndpoints.cs
index cfb786c..46ed4d7 100644
--- a/Endpoints/AuthEndpoints.cs
+++ b/Endpoints/AuthEndpoints.cs
@@ -35,7 +35,13 @@ public static class AuthEndpoints
             var (hash, salt) = PasswordHasher.HashPassword(request.Password);
             var adminKey = EndpointHelpers.TrimTo(request.AdminKey, 128);
             var expectedAdminKey = config["ADMIN_PASSWORD"];
-            var isAdmin = !string.IsNullOrWhiteSpace(expectedAdminKey) && adminKey == expectedAdminKey;
+            var wantsAdmin = !string.IsNullOrWhiteSpace(adminKey);
+            if (wantsAdmin)
+            {
+                if (string.IsNullOrWhiteSpace(expectedAdminKey) || adminKey != expectedAdminKey)
+                    return Results.BadRequest(new { error = "Invalid admin key." });
+            }
+            var isAdmin = wantsAdmin;
 
             var player = new Player
             {