From d3af1cedfdc90a696c423301e6d60d9c156b8e9c Mon Sep 17 00:00:00 2001
From: bytedream <me@bytedream.dev>
Date: Wed, 15 Oct 2025 13:15:24 +0200
Subject: [PATCH] update api auth

---
 README.md                 | 2 +-
 src/pages/api/feedback.ts | 4 ++--
 src/pages/api/player.ts   | 4 ++--
 src/pages/api/report.ts   | 6 +++---
 src/util/auth.ts          | 7 +++++++
 5 files changed, 15 insertions(+), 8 deletions(-)
 create mode 100644 src/util/auth.ts

diff --git a/README.md b/README.md
index 64f1cb1..d6d5820 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 ## API
 
-> Wenn die env variable `API_SECRET` gesetzt ist, muss jede API Request den HTTP Header `Authorization: Basic <API_SECRET>` haben.
+> Wenn die env variable `API_SECRET` gesetzt ist, muss jede API Request den HTTP Header `Authorization: Basic <"api:<API_SECRET>" as base64>` haben.
 
 <details>
 <summary><code>POST</code> <code>/api/feedback</code> (Erstellt Feedbackformulare)</summary>
diff --git a/src/pages/api/feedback.ts b/src/pages/api/feedback.ts
index 7bfb0e0..47f1c4b 100644
--- a/src/pages/api/feedback.ts
+++ b/src/pages/api/feedback.ts
@@ -1,8 +1,8 @@
 import { z } from 'astro:schema';
 import type { APIRoute } from 'astro';
-import { API_SECRET } from 'astro:env/server';
 import { db } from '@db/database.ts';
 import { BASE_PATH } from 'astro:env/server';
+import { checkApiBasicAuth } from '@util/auth.ts';
 
 const postSchema = z.object({
   event: z.string(),
@@ -11,7 +11,7 @@ const postSchema = z.object({
 });
 
 export const POST: APIRoute = async ({ request }) => {
-  if (API_SECRET && request.headers.get('authorization') !== `Basic ${API_SECRET}`) {
+  if (!checkApiBasicAuth(request.headers)) {
     return new Response(null, { status: 401 });
   }
 
diff --git a/src/pages/api/player.ts b/src/pages/api/player.ts
index c2dfbec..d94479d 100644
--- a/src/pages/api/player.ts
+++ b/src/pages/api/player.ts
@@ -1,14 +1,14 @@
 import { z } from 'astro:schema';
 import type { APIRoute } from 'astro';
-import { API_SECRET } from 'astro:env/server';
 import { db } from '@db/database.ts';
+import { checkApiBasicAuth } from '@util/auth.ts';
 
 const getSchema = z.object({
   user: z.string()
 });
 
 export const GET: APIRoute = async ({ request }) => {
-  if (API_SECRET && request.headers.get('authorization') !== `Basic ${API_SECRET}`) {
+  if (!checkApiBasicAuth(request.headers)) {
     return new Response(null, { status: 401 });
   }
 
diff --git a/src/pages/api/report.ts b/src/pages/api/report.ts
index ac6430e..d0c2538 100644
--- a/src/pages/api/report.ts
+++ b/src/pages/api/report.ts
@@ -1,8 +1,8 @@
 import type { APIRoute } from 'astro';
 import { z } from 'astro:schema';
-import { API_SECRET } from 'astro:env/server';
 import { db } from '@db/database.ts';
 import { sendWebhook, WebhookAction } from '@util/webhook.ts';
+import { checkApiBasicAuth } from '@util/auth.ts';
 
 const postSchema = z.object({
   reporter: z.string(),
@@ -11,7 +11,7 @@ const postSchema = z.object({
 });
 
 export const POST: APIRoute = async ({ request }) => {
-  if (API_SECRET && request.headers.get('authorization') !== `Basic ${API_SECRET}`) {
+  if (!checkApiBasicAuth(request.headers)) {
     return new Response(null, { status: 401 });
   }
 
@@ -52,7 +52,7 @@ const putSchema = z.object({
 });
 
 export const PUT: APIRoute = async ({ request }) => {
-  if (API_SECRET && request.headers.get('authorization') !== `Basic ${API_SECRET}`) {
+  if (!checkApiBasicAuth(request.headers)) {
     return new Response(null, { status: 401 });
   }
 
diff --git a/src/util/auth.ts b/src/util/auth.ts
new file mode 100644
index 0000000..5e449dd
--- /dev/null
+++ b/src/util/auth.ts
@@ -0,0 +1,7 @@
+import { API_SECRET } from 'astro:env/server';
+
+const BASIC_AUTH_HEADER = API_SECRET ? `Basic ${Buffer.from(`api:${API_SECRET}`).toString('base64')}` : null;
+
+export function checkApiBasicAuth(headers: Headers) {
+  return BASIC_AUTH_HEADER ? headers.get('authorization') === BASIC_AUTH_HEADER : true;
+}