only allow admins to mark items as read

diff --git a/src/public/reader.html b/src/public/reader.html
index cfb6cc501ab83e41c6177afbe746970ae9d3c227..c4798ebdc3318be716be4e3d0048bb0cb9169865 100644 (file)
--- a/src/public/reader.html
+++ b/src/public/reader.html
@@ -37,7 +37,9 @@
   const headerName = 'last-check';
   document.body.addEventListener('htmx:configRequest', evt => {
     const val = localStorage.getItem(keyName);
+    const secret = localStorage.getItem('secret');
     event.detail.headers[headerName] = val;
+    event.detail.headers['x-secret'] = secret;
     if(val) {
       event.detail.headers['entry-count'] = document.querySelectorAll('.item').length;
     }

diff --git a/src/server.ts b/src/server.ts
index e82719a31b57187b5ad1f676704b595c4153bc78..7ed5556be5f906362630ecbfb2729b8ca9fa277a 100644 (file)
--- a/src/server.ts
+++ b/src/server.ts
@@ -234,13 +234,20 @@ app.get('/feeds/:feed_id', async (req, res) => {
 });
 
 app.post('/feed_entry/:feed_entry_id', async (req, res) => {
-  const item: FeedWithEntrySchema[] = await db('feed_entry').update({
-    is_read: true
-  }).where({
-    id: req.params.feed_entry_id
-  }).returning('*');
+  const authSecret = req.header('x-secret');
 
-  res.send(renderReaderAppFeedEntry(item.pop()));
+  if(authSecret === process.env.ADMIN_KEY) {
+    const item: FeedWithEntrySchema[] = await db('feed_entry').update({
+      is_read: true
+    }).where({
+      id: req.params.feed_entry_id
+    }).returning('*');
+
+    res.send(renderReaderAppFeedEntry(item.pop()));
+  }
+  else {
+    res.sendStatus(204).end();
+  }
 });
 
 app.delete('/feeds/:feed_id', async (req, res) => {