feat: protect post routes

believer · Sep 27, 2023 · ed8f6aa · ed8f6aa
1 parent 8d85b7f
commit ed8f6aa
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 0 deletions.
diff --git a/handlers/movies.go b/handlers/movies.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"believer/movies/db"
 	"believer/movies/types"
+	"believer/movies/utils"
 	"database/sql"
 	"encoding/json"
 	"fmt"
@@ -114,6 +115,12 @@ ORDER BY date DESC
 
 // Render the add movie page
 func HandleGetMovieNew(c *fiber.Ctx) error {
+	isAuth := utils.IsAuthenticated(c)
+
+	if isAuth == false {
+		return c.Redirect("/")
+	}
+
 	return c.Render("add", nil)
 }
 
@@ -154,6 +161,12 @@ func tmdbFetchMovie(route string) map[string]interface{} {
 
 // Handle adding a movies
 func HandlePostMovieNew(c *fiber.Ctx) error {
+	isAuth := utils.IsAuthenticated(c)
+
+	if isAuth == false {
+		return c.SendStatus(fiber.StatusUnauthorized)
+	}
+
 	data := new(struct {
 		ImdbID    string `form:"imdb_id"`
 		Rating    int    `form:"rating"`
@@ -234,6 +247,12 @@ SELECT id, title FROM movie WHERE imdb_id = $1
 }
 
 func HandlePostMovieSeenNew(c *fiber.Ctx) error {
+	isAuth := utils.IsAuthenticated(c)
+
+	if isAuth == false {
+		return c.SendStatus(fiber.StatusUnauthorized)
+	}
+
 	tx := db.Client.MustBegin()
 
 	tx.MustExec(`INSERT INTO seen (user_id, movie_id) VALUES ($1, $2)`, 1, c.Params("id"))

diff --git a/handlers/routes.go b/handlers/routes.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"believer/movies/db"
 	"believer/movies/types"
+	"believer/movies/utils"
 	"strconv"
 
 	"github.com/gofiber/fiber/v2"
@@ -34,6 +35,7 @@ LIMIT 20
 	}
 
 	return c.Render("index", fiber.Map{
+		"IsAdmin":  utils.IsAuthenticated(c),
 		"Movies":   movies,
 		"NextPage": page + 1,
 	})

diff --git a/utils/utils.go b/utils/utils.go
@@ -0,0 +1,14 @@
+package utils
+
+import (
+	"os"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func IsAuthenticated(c *fiber.Ctx) bool {
+	adminSecret := os.Getenv("ADMIN_SECRET")
+	cookieAdminSecret := c.Cookies("admin_secret")
+
+	return cookieAdminSecret == adminSecret
+}
diff --git a/views/index.html b/views/index.html
@@ -10,12 +10,14 @@
         hx-trigger="keyup changed delay:500ms, search"
         hx-target="ol"
         />
+    {{ if .IsAdmin }}
     <a class="md:absolute top-10 right-8 focus:outline-none focus-visible:outline-dashed focus-visible:outline-offset-8 focus-visible:outline-neutral-400 dark:focus-visible:outline-neutral-600 rounded" href="/movies/new"
       >
       <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="w-6 h-6">
         <path stroke-linecap="round" stroke-linejoin="round" d="M12 4.5v15m7.5-7.5h-15" />
       </svg>
     </a>
+    {{ end }}
   </nav>
 
   <ol role="feed" class="relative flex flex-col gap-6 text-sm">