From da8537c0fdd8a6a9d78beb1e9b04a1f3f02fef1e Mon Sep 17 00:00:00 2001
From: Seth Etter <mail@sethetter.com>
Date: Sun, 23 Feb 2025 10:16:54 -0600
Subject: [PATCH] disable admin routes entirely if config not set

---
 pkg/config/config.go |  4 ++--
 pkg/server/server.go | 22 ++++++++++++----------
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index 32e7a7e..c49a8db 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -16,8 +16,8 @@ type Config struct {
 	Email         *EmailConfig
 	Twitter       *TwitterConfig
 	SlackHook     string `envconfig:"SLACK_HOOK"`
-	AdminUser     string `envconfig:"ADMIN_USER" required:"true" default:"admin"`
-	AdminPassword string `envconfig:"ADMIN_PASSWORD" require:"true" default:"password"`
+	AdminUser     string `envconfig:"ADMIN_USER"`
+	AdminPassword string `envconfig:"ADMIN_PASSWORD"`
 }
 
 type EmailConfig struct {
diff --git a/pkg/server/server.go b/pkg/server/server.go
index 18e8dcf..a4a782b 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -80,16 +80,18 @@ func NewServer(c *ServerConfig) (http.Server, error) {
 		authorized.POST("/jobs/:id/delete", ctrl.DeleteJob)
 	}
 
-	// Admin routes
-	admin := router.Group("/admin")
-	admin.Use(gin.BasicAuth(gin.Accounts{
-		c.Config.AdminUser: c.Config.AdminPassword,
-	}))
-	{
-		admin.GET("", ctrl.AdminIndex)
-		admin.GET("/jobs/:id/edit", ctrl.EditJob)
-		admin.POST("/jobs/:id", ctrl.UpdateJob)
-		admin.POST("/jobs/:id/delete", ctrl.DeleteJob)
+	if c.Config.AdminUser != "" {
+		// Admin routes
+		admin := router.Group("/admin")
+		admin.Use(gin.BasicAuth(gin.Accounts{
+			c.Config.AdminUser: c.Config.AdminPassword,
+		}))
+		{
+			admin.GET("", ctrl.AdminIndex)
+			admin.GET("/jobs/:id/edit", ctrl.EditJob)
+			admin.POST("/jobs/:id", ctrl.UpdateJob)
+			admin.POST("/jobs/:id/delete", ctrl.DeleteJob)
+		}
 	}
 
 	return http.Server{