From 087534ce230baf2c375af642bed28875e9424ad9 Mon Sep 17 00:00:00 2001
From: nak <fj@abovesobelow.com>
Date: Thu, 19 Mar 2026 01:48:54 +0000
Subject: [PATCH] Remove ADMIN_TOKEN, add username check

---
 main.go | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/main.go b/main.go
index b5fd977..e1cb3e9 100644
--- a/main.go
+++ b/main.go
@@ -25,7 +25,6 @@ var ctx = context.Background()
 var domainAdminUser string
 var domainAdminPass string
 var hmacSecret []byte
-var adminToken string
 var pokerManager *poker.Manager
 
 // Shape definitions: name -> face count -> price (100 * faces)
@@ -84,12 +83,6 @@ func main() {
 	}
 	log.Println("Connected to Redis")
 
-	// Admin token for poker admin UI
-	adminToken = os.Getenv("ADMIN_TOKEN")
-	if adminToken == "" {
-		log.Fatal("ADMIN_TOKEN environment variable must be set")
-	}
-
 	// Poker manager
 	pokerManager = poker.NewManager(rdb, ctx)
 	pokerManager.ValidateToken = validateToken
@@ -485,14 +478,18 @@ func adjustBalance(username string, delta int64) (int64, error) {
 	return int64(newBalance), err
 }
 
-// adminAuthMiddleware checks the Authorization header against ADMIN_TOKEN.
 func adminAuthMiddleware(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		auth := r.Header.Get("Authorization")
-		if !strings.HasPrefix(auth, "Bearer ") || strings.TrimPrefix(auth, "Bearer ") != adminToken {
+		username, err := validateToken(r)
+		if err != nil {
 			http.Error(w, "unauthorized", http.StatusUnauthorized)
 			return
 		}
+		if username != "nak" {
+			http.Error(w, "forbidden", http.StatusForbidden)
+			return
+		}
 		next(w, r)
 	}
 }
+