Protect launcher admin tools

2026-06-27 00:51:20 -04:00 · 2026-06-27 00:51:20 -04:00 · ab1dfbf029
commit ab1dfbf029
parent fad065c429
4 changed files with 384 additions and 151 deletions
--- a/scripts/request-analysis-worker.mjs
+++ b/scripts/request-analysis-worker.mjs
@ -17,6 +17,7 @@ const DEFAULTS = {
  modelBaseUrl: process.env.REQUEST_ANALYZER_MODEL_BASE_URL || "",
  model: process.env.REQUEST_ANALYZER_MODEL || "",
  apiKey: process.env.REQUEST_ANALYZER_API_KEY || process.env.DEEPSEEK_API_KEY || "",
+  adminPassword: process.env.REQUEST_ANALYZER_ADMIN_PASSWORD || process.env.LAUNCHER_ADMIN_PASSWORD || "",
  limit: Number(process.env.REQUEST_ANALYZER_LIMIT || 5),
  promoteThreshold: Number(process.env.REQUEST_ANALYZER_PROMOTE_THRESHOLD || 0.85),
  maxTokens: Math.max(512, Number(process.env.REQUEST_ANALYZER_MAX_TOKENS || 4000)),
@ -57,12 +58,14 @@ Environment variables:
  REQUEST_ANALYZER_MODEL_BASE_URL
  REQUEST_ANALYZER_MODEL
  REQUEST_ANALYZER_API_KEY
+  REQUEST_ANALYZER_ADMIN_PASSWORD
  REQUEST_ANALYZER_MAX_TOKENS
  REQUEST_ANALYZER_THINKING
  REQUEST_ANALYZER_LIMIT
  REQUEST_ANALYZER_INTERVAL_MS
  REQUEST_ANALYZER_PROMOTE_THRESHOLD
  DEEPSEEK_API_KEY
+  LAUNCHER_ADMIN_PASSWORD

 Notes:
  - DeepSeek uses ${DEFAULT_DEEPSEEK_BASE_URL}/chat/completions.
@ -194,6 +197,17 @@ async function fetchJson(url, init = {}) {
  return response.json();
 }

+function buildAdminHeaders(config, baseHeaders = {}) {
+  const nextHeaders = {
+    ...baseHeaders,
+  };
+  const adminPassword = String(config?.adminPassword || "").trim();
+  if (adminPassword) {
+    nextHeaders["x-worldshaper-admin-password"] = adminPassword;
+  }
+  return nextHeaders;
+}
+
 function tokenize(value) {
  return String(value || "")
    .toLowerCase()
@ -498,9 +512,9 @@ async function getLauncherRequests(config) {
 async function patchLauncherRequest(config, requestId, body) {
  return fetchJson(buildUrl(config.apiBase, `/api/launcher-requests/${encodeURIComponent(requestId)}`), {
    method: "PATCH",
-    headers: {
+    headers: buildAdminHeaders(config, {
      "Content-Type": "application/json",
-    },
+    }),
    body: JSON.stringify(body),
  });
 }
@ -508,9 +522,9 @@ async function patchLauncherRequest(config, requestId, body) {
 async function processLauncherRequestAnalysis(config, requestId, body) {
  return fetchJson(buildUrl(config.apiBase, `/api/launcher-requests/${encodeURIComponent(requestId)}/process-analysis`), {
    method: "POST",
-    headers: {
+    headers: buildAdminHeaders(config, {
      "Content-Type": "application/json",
-    },
+    }),
    body: JSON.stringify(body),
  });
 }