feat: ✨ add api lock key

www/router.php

@@ -36,6 +36,32 @@ $SURI = $_SERVER['REQUEST_URI'];
 
 if($SURI == '/') {
     echo $twig->render('root.html');
+} elseif(preg_match('/^\/api\/admin/', $SURI)) {
+    header('Content-Type: application/json');
+
+    $user_api_key = '';
+    if(isset($_GET['api_key'])) {
+        $user_api_key = $_GET['api_key'];
+    }
+    if(isset($_POST['api_key'])) {
+        $user_api_key = $_POST['api_key'];
+    }
+
+    if($user_api_key != file_get_contents('secrets/api_admin_key')) {
+        http_response_code(401);
+
+        echo json_encode([
+            "authorized" => false
+        ]);
+
+        die();
+    }
+
+    if($SURI = '/api/admin/upload') {
+        $adapter->handle_upload($_POST['post_path'], $_FILES['post_data']['tmp_name']);
+
+        echo json_encode(["ok" => true]);
+    }
 } elseif(preg_match('/^\/api/', $SURI)) {
     if(preg_match('/^\/api\/posts(.*)$/', $SURI, $match)) {
 
@@ -47,10 +73,6 @@ if($SURI == '/') {
         header('Content-Type: application/json');
         echo json_encode(get_subposts($match[1]));
     } elseif($SURI == '/api/upload') {
-        
-        if(array_key_exists('post_data', $_FILES)) {
-            $adapter->handle_upload($_POST['post_path'], $_FILES['post_data']['tmp_name']);
-        }
 
         echo $twig->render('upload.html');
     }

www/secrets/.gitignore

@@ -1 +1,2 @@
-*.json
+*.json
+api_admin_key

www/templates/upload.html

@@ -8,8 +8,9 @@
 
 {%block main_content%}
 	<article>
-		<form method="post" enctype="multipart/form-data">
+		<form method="post" enctype="multipart/form-data" action="/api/admin/upload">
 			<input type="text" id="post_path" name="post_path"/>
+			<input type="password" id="api_key" name="api_key"/>
 			<input type="file" id="post_data" name="post_data"/>
 
 			<button>Submit</button>