From: xangelo <me@xangelo.ca>
Date: Thu, 8 Feb 2024 21:24:30 +0000 (-0500)
Subject: only allow admins to mark items as read
X-Git-Url: https://git.xangelo.ca/?a=commitdiff_plain;h=2110217506c21b67ad50891d2192802657aad3fd;p=river.git

only allow admins to mark items as read
---

diff --git a/src/public/reader.html b/src/public/reader.html
index cfb6cc5..c4798eb 100644
--- a/src/public/reader.html
+++ b/src/public/reader.html
@@ -37,7 +37,9 @@
   const headerName = 'last-check';
   document.body.addEventListener('htmx:configRequest', evt => {
     const val = localStorage.getItem(keyName);
+    const secret = localStorage.getItem('secret');
     event.detail.headers[headerName] = val;
+    event.detail.headers['x-secret'] = secret;
     if(val) {
       event.detail.headers['entry-count'] = document.querySelectorAll('.item').length;
     }
diff --git a/src/server.ts b/src/server.ts
index e82719a..7ed5556 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -234,13 +234,20 @@ app.get('/feeds/:feed_id', async (req, res) => {
 });
 
 app.post('/feed_entry/:feed_entry_id', async (req, res) => {
-  const item: FeedWithEntrySchema[] = await db('feed_entry').update({
-    is_read: true
-  }).where({
-    id: req.params.feed_entry_id
-  }).returning('*');
+  const authSecret = req.header('x-secret');
 
-  res.send(renderReaderAppFeedEntry(item.pop()));
+  if(authSecret === process.env.ADMIN_KEY) {
+    const item: FeedWithEntrySchema[] = await db('feed_entry').update({
+      is_read: true
+    }).where({
+      id: req.params.feed_entry_id
+    }).returning('*');
+
+    res.send(renderReaderAppFeedEntry(item.pop()));
+  }
+  else {
+    res.sendStatus(204).end();
+  }
 });
 
 app.delete('/feeds/:feed_id', async (req, res) => {