diff --git a/.env.example b/.env.example index cea10bd..70e5cca 100644 --- a/.env.example +++ b/.env.example @@ -1,5 +1,6 @@ DATABASE_URI=sqlite://./database.db ADMIN_USER=admin ADMIN_PASSWORD=admin +REPORT_SECRET= PUBLIC_START_DATE=2023-12-26T00:00:00+0200 PUBLIC_BASE_PATH= diff --git a/README.md b/README.md index 0207f9a..43a0a83 100644 --- a/README.md +++ b/README.md @@ -29,12 +29,13 @@ $ node -r dotenv/config build/index.js Configurations can be done with env variables -| Name | Description | -| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | -| `HOST` | Host the server should listen on | -| `PORT` | Port the server should listen on | -| `DATABASE_URI` | URI to the database as a connection string. Supported databases are [sqlite](https://www.sqlite.org/index.html) and [mariadb](https://mariadb.org/) | -| `ADMIN_USER` | Name for the root admin user. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set | -| `ADMIN_PASSWORD` | Password for the root admin user defined via `ADMIN_USER`. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set | -| `PUBLIC_BASE_PATH` | If running the website on a sub-path, set this variable to the path so that assets etc. can find the correct location | -| `PUBLIC_START_DATE` | The start date when the event starts | +| Name | Description | +| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `HOST` | Host the server should listen on | +| `PORT` | Port the server should listen on | +| `DATABASE_URI` | URI to the database as a connection string. Supported databases are [sqlite](https://www.sqlite.org/index.html) and [mariadb](https://mariadb.org/) | +| `ADMIN_USER` | Name for the root admin user. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set | +| `ADMIN_PASSWORD` | Password for the root admin user defined via `ADMIN_USER`. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set | +| `REPORT_SECRET` | Secret which may be required (as `?secret=<secret>` query parameter) to create reports on the public endpoint. Isn't required to be in the request if this variable is empty | +| `PUBLIC_BASE_PATH` | If running the website on a sub-path, set this variable to the path so that assets etc. can find the correct location | +| `PUBLIC_START_DATE` | The start date when the event starts | diff --git a/src/routes/report/+server.ts b/src/routes/report/+server.ts index e72f9c6..6357cd4 100644 --- a/src/routes/report/+server.ts +++ b/src/routes/report/+server.ts @@ -1,9 +1,12 @@ import type { RequestHandler } from '@sveltejs/kit'; import { Report, User } from '$lib/server/database'; import * as crypto from 'crypto'; -import { env } from '$env/dynamic/public'; +import { env } from '$env/dynamic/private'; export const POST = (async ({ request, url }) => { + if (env.REPORT_SECRET && url.searchParams.get('secret') !== env.REPORT_SECRET) + return new Response(null, { status: 401 }); + const data: { reporter: string; reported: string; reason: string } = await request.json(); if (data.reporter == null || data.reported == null || data.reason == null)