diff options
| author | yyamashita <yyamashita@hetzner.yyamashita.com> | 2026-06-19 23:28:00 +0900 |
|---|---|---|
| committer | yyamashita <yyamashita@hetzner.yyamashita.com> | 2026-06-19 23:28:00 +0900 |
| commit | b5a24a1dcf5cdce6da925bb30d57b9f2a124f1dd (patch) | |
| tree | 873865e6a0e4c7929b01d481d367da0dc58f2822 | |
| parent | 85e06567f3054b6fc7349aa1f65809db47c9034a (diff) | |
Require Bearer token auth on POST /api/posts
Reuses REGISTER_TOKEN so the same secret covers both
passkey registration and API posting.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| -rw-r--r-- | app/routes/api.posts.tsx | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/routes/api.posts.tsx b/app/routes/api.posts.tsx index 2d5637c..8ef7639 100644 --- a/app/routes/api.posts.tsx +++ b/app/routes/api.posts.tsx @@ -14,6 +14,12 @@ export async function action({ request }: Route.ActionArgs) { return Response.json({ error: "Method not allowed" }, { status: 405 }); } + const token = process.env.REGISTER_TOKEN; + const auth = request.headers.get("Authorization") ?? ""; + if (!token || auth !== `Bearer ${token}`) { + return Response.json({ error: "Unauthorized" }, { status: 401 }); + } + let content: string; const ct = request.headers.get("content-type") ?? ""; if (ct.includes("application/json")) { |
