Restricting the API access to logged in admins. Only admin log in is publicly accessible.

2026-02-20 16:22:19 +01:00
parent 38652c504d
commit 35dbb79ccd
2 changed files with 21 additions and 3 deletions
--- a/lib/beet_round_server_web/router.ex
+++ b/lib/beet_round_server_web/router.ex
@ -20,21 +20,27 @@ defmodule BeetRoundServerWeb.Router do
    plug :accepts, ["json"]
  end

+  pipeline :admin do
+    plug :fetch_api_admin
+  end
+
  scope "/", BeetRoundServerWeb do
    pipe_through :browser

    get "/", PageController, :home
  end

+  ### API ###
  scope "/api", BeetRoundServerWeb do
    pipe_through :api
+
    post "/log_in", AdminController, :log_in
-    post "/admin_create", AdminController, :create
+    # post "/admin_create", AdminController, :create
  end

-  # Other scopes may use custom stacks.
+  ### protected API ###
  scope "/api", BeetRoundServerWeb do
-    pipe_through :api
+    pipe_through [:api, :admin]

    get "/", DefaultApiController, :index