Restricting the API access to logged in admins. Only admin log in is publicly accessible.

lib/beet_round_server_web/admin_auth.ex

@@ -89,6 +89,18 @@ defmodule BeetRoundServerWeb.AdminAuth do
     end
   end
 
+  def fetch_api_admin(conn, _opts) do
+    with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
+         {:ok, admin} <- Admins.fetch_admin_by_api_token(token) do
+      assign(conn, :current_admin, admin)
+    else
+      _ ->
+        conn
+        |> send_resp(:unauthorized, "No access for you!")
+        |> halt()
+    end
+  end
+
   # Reissue the session token if it is older than the configured reissue age.
   defp maybe_reissue_admin_session_token(conn, admin, token_inserted_at) do
     token_age = DateTime.diff(DateTime.utc_now(:second), token_inserted_at, :day)

lib/beet_round_server_web/router.ex

@@ -20,21 +20,27 @@ defmodule BeetRoundServerWeb.Router do
     plug :accepts, ["json"]
   end
 
+  pipeline :admin do
+    plug :fetch_api_admin
+  end
+
   scope "/", BeetRoundServerWeb do
     pipe_through :browser
 
     get "/", PageController, :home
   end
 
+  ### API ###
   scope "/api", BeetRoundServerWeb do
     pipe_through :api
+
     post "/log_in", AdminController, :log_in
-    post "/admin_create", AdminController, :create
+    # post "/admin_create", AdminController, :create
   end
 
-  # Other scopes may use custom stacks.
+  ### protected API ###
   scope "/api", BeetRoundServerWeb do
-    pipe_through :api
+    pipe_through [:api, :admin]
 
     get "/", DefaultApiController, :index