xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Validate admin key on register

Browse Source
This commit is contained in:
Frank Tovar
2026-01-29 01:18:34 +01:00
parent 60191a1fe3
commit c318cfd120
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
API.md
View File

@@ -7,7 +7,7 @@ POST /api/auth/register
POST /api/auth/login
POST /api/auth/logout
- Register accepts optional `adminKey`; when it matches `ADMIN_PASSWORD`, the account is marked `IsAdmin=true` and can use admin APIs.
- Register accepts optional `adminKey`; when it matches `ADMIN_PASSWORD`, the account is marked `IsAdmin=true` and can use admin APIs. If an `adminKey` is supplied but wrong (or ADMIN_PASSWORD unset), registration returns 400.
## State
GET /api/state (public)

8
Endpoints/AuthEndpoints.cs
View File

@@ -35,7 +35,13 @@ public static class AuthEndpoints
var (hash, salt) = PasswordHasher.HashPassword(request.Password);
var adminKey = EndpointHelpers.TrimTo(request.AdminKey, 128);
var expectedAdminKey = config["ADMIN_PASSWORD"];
var isAdmin = !string.IsNullOrWhiteSpace(expectedAdminKey) && adminKey == expectedAdminKey;
var wantsAdmin = !string.IsNullOrWhiteSpace(adminKey);
if (wantsAdmin)
{
if (string.IsNullOrWhiteSpace(expectedAdminKey) || adminKey != expectedAdminKey)
return Results.BadRequest(new { error = "Invalid admin key." });
}
var isAdmin = wantsAdmin;
var player = new Player
{