From 607bcd9bf50c6e529207e7713f6e8f3d43124628 Mon Sep 17 00:00:00 2001
From: Batmanisko <bat@batmanisko.cz>
Date: Thu, 5 Mar 2026 21:50:17 +0100
Subject: [PATCH] =?UTF-8?q?feat:=20uprava=20refresh=20menu=20hesel=20ka?=
 =?UTF-8?q?=C5=BEd=C3=BD=20m=C5=AF=C5=BEe=20ud=C4=9Blat=20refresh,=20jen?=
 =?UTF-8?q?=20ne=20tak=20=C4=8Dasto,=20bypass=20mimo=20zdrojak?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/.env.template            |  6 +++++-
 server/src/routes/foodRoutes.ts | 15 +++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/server/.env.template b/server/.env.template
index f78a16d..52e80be 100644
--- a/server/.env.template
+++ b/server/.env.template
@@ -43,4 +43,8 @@
 # Vygenerovat pomocí: npx web-push generate-vapid-keys
 # VAPID_PUBLIC_KEY=
 # VAPID_PRIVATE_KEY=
-# VAPID_SUBJECT=mailto:admin@example.com
\ No newline at end of file
+# VAPID_SUBJECT=mailto:admin@example.com
+
+# Heslo pro bypass rate limitu na endpointu /api/food/refresh (pro skripty/admin).
+# Bez hesla může refresh volat každý přihlášený uživatel (podléhá rate limitu).
+# REFRESH_BYPASS_PASSWORD=
\ No newline at end of file
diff --git a/server/src/routes/foodRoutes.ts b/server/src/routes/foodRoutes.ts
index ba4bdd4..2688d7e 100644
--- a/server/src/routes/foodRoutes.ts
+++ b/server/src/routes/foodRoutes.ts
@@ -191,13 +191,20 @@ router.post("/updateBuyer", async (req, res, next) => {
     } catch (e: any) { next(e) }
 });
 
-// /api/food/refresh?type=week&heslo=docasnyheslo
+// /api/food/refresh?type=week  (přihlášený uživatel, nebo ?heslo=... pro bypass rate limitu)
 export const refreshMetoda = async (req: Request, res: Response) => {
     const { type, heslo } = req.query as { type?: string; heslo?: string };
-    if (heslo !== "docasnyheslo" && heslo !== "tohleheslopavelnesmizjistit123") {
-        return res.status(403).json({ error: "Neplatné heslo" });
+    const bypassPassword = process.env.REFRESH_BYPASS_PASSWORD;
+    const isBypass = !!bypassPassword && heslo === bypassPassword;
+
+    if (!isBypass) {
+        try {
+            getLogin(parseToken(req));
+        } catch {
+            return res.status(403).json({ error: "Přihlaste se prosím" });
+        }
     }
-    if (!checkRateLimit("refresh") && heslo !== "tohleheslopavelnesmizjistit123") {
+    if (!checkRateLimit("refresh") && !isBypass) {
         return res.status(429).json({ error: "Refresh už se zavolal, chvíli počkej :))" });
     }
     if (type !== "week" && type !== "day") {