2026-03-06 09:34:25 +01:00
2 changed files with 16 additions and 5 deletions
--- a/server/.env.template
+++ b/server/.env.template
@@ -44,3 +44,7 @@
 # VAPID_PUBLIC_KEY=
 # VAPID_PRIVATE_KEY=
 # VAPID_SUBJECT=mailto:admin@example.com
+
+# Heslo pro bypass rate limitu na endpointu /api/food/refresh (pro skripty/admin).
+# Bez hesla může refresh volat každý přihlášený uživatel (podléhá rate limitu).
+# REFRESH_BYPASS_PASSWORD=
--- a/server/src/routes/foodRoutes.ts
+++ b/server/src/routes/foodRoutes.ts
@@ -191,13 +191,20 @@ router.post("/updateBuyer", async (req, res, next) => {
    } catch (e: any) { next(e) }
 });

-// /api/food/refresh?type=week&heslo=docasnyheslo
+// /api/food/refresh?type=week  (přihlášený uživatel, nebo ?heslo=... pro bypass rate limitu)
 export const refreshMetoda = async (req: Request, res: Response) => {
    const { type, heslo } = req.query as { type?: string; heslo?: string };
-    if (heslo !== "docasnyheslo" && heslo !== "tohleheslopavelnesmizjistit123") {
-        return res.status(403).json({ error: "Neplatné heslo" });
+    const bypassPassword = process.env.REFRESH_BYPASS_PASSWORD;
+    const isBypass = !!bypassPassword && heslo === bypassPassword;
+
+    if (!isBypass) {
+        try {
+            getLogin(parseToken(req));
+        } catch {
+            return res.status(403).json({ error: "Přihlaste se prosím" });
+        }
    }
-    if (!checkRateLimit("refresh") && heslo !== "tohleheslopavelnesmizjistit123") {
+    if (!checkRateLimit("refresh") && !isBypass) {
        return res.status(429).json({ error: "Refresh už se zavolal, chvíli počkej :))" });
    }
    if (type !== "week" && type !== "day") {