Remove ADMIN_TOKEN, add username check

main.go

@@ -25,7 +25,6 @@ var ctx = context.Background()
 var domainAdminUser string
 var domainAdminPass string
 var hmacSecret []byte
-var adminToken string
 var pokerManager *poker.Manager
 
 // Shape definitions: name -> face count -> price (100 * faces)
@@ -84,12 +83,6 @@ func main() {
 	}
 	log.Println("Connected to Redis")
 
-	// Admin token for poker admin UI
-	adminToken = os.Getenv("ADMIN_TOKEN")
-	if adminToken == "" {
-		log.Fatal("ADMIN_TOKEN environment variable must be set")
-	}
-
 	// Poker manager
 	pokerManager = poker.NewManager(rdb, ctx)
 	pokerManager.ValidateToken = validateToken
@@ -485,14 +478,18 @@ func adjustBalance(username string, delta int64) (int64, error) {
 	return int64(newBalance), err
 }
 
-// adminAuthMiddleware checks the Authorization header against ADMIN_TOKEN.
 func adminAuthMiddleware(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		auth := r.Header.Get("Authorization")
+		username, err := validateToken(r)
-		if !strings.HasPrefix(auth, "Bearer ") || strings.TrimPrefix(auth, "Bearer ") != adminToken {
+		if err != nil {
 			http.Error(w, "unauthorized", http.StatusUnauthorized)
 			return
 		}
+		if username != "nak" {
+			http.Error(w, "forbidden", http.StatusForbidden)
+			return
+		}
 		next(w, r)
 	}
 }
+