summaryrefslogtreecommitdiff
path: root/app/routes
diff options
context:
space:
mode:
authoryyamashita <yyamashita@hetzner.yyamashita.com>2026-06-19 23:28:00 +0900
committeryyamashita <yyamashita@hetzner.yyamashita.com>2026-06-19 23:28:00 +0900
commitb5a24a1dcf5cdce6da925bb30d57b9f2a124f1dd (patch)
tree873865e6a0e4c7929b01d481d367da0dc58f2822 /app/routes
parent85e06567f3054b6fc7349aa1f65809db47c9034a (diff)
Require Bearer token auth on POST /api/posts
Reuses REGISTER_TOKEN so the same secret covers both passkey registration and API posting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'app/routes')
-rw-r--r--app/routes/api.posts.tsx6
1 files changed, 6 insertions, 0 deletions
diff --git a/app/routes/api.posts.tsx b/app/routes/api.posts.tsx
index 2d5637c..8ef7639 100644
--- a/app/routes/api.posts.tsx
+++ b/app/routes/api.posts.tsx
@@ -14,6 +14,12 @@ export async function action({ request }: Route.ActionArgs) {
return Response.json({ error: "Method not allowed" }, { status: 405 });
}
+ const token = process.env.REGISTER_TOKEN;
+ const auth = request.headers.get("Authorization") ?? "";
+ if (!token || auth !== `Bearer ${token}`) {
+ return Response.json({ error: "Unauthorized" }, { status: 401 });
+ }
+
let content: string;
const ct = request.headers.get("content-type") ?? "";
if (ct.includes("application/json")) {