From b81df5866b9b043b2fa21697bd317a5ed7a76bf1 Mon Sep 17 00:00:00 2001
From: ScuroNeko <nix1304@gmail.com>
Date: Fri, 27 Feb 2026 14:08:10 +0300
Subject: [PATCH] v1.1

---
 app/api.go    |  7 +++++++
 app/routes.go | 38 ++++++++++++++------------------------
 main.go       |  2 +-
 3 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/app/api.go b/app/api.go
index 28b3ff5..ff875e4 100644
--- a/app/api.go
+++ b/app/api.go
@@ -57,3 +57,10 @@ func ReadBody[T any](r *http.Request) (T, error) {
 	err := json.NewDecoder(r.Body).Decode(dst)
 	return *dst, err
 }
+func CheckToken(r *http.Request) bool {
+	auth := r.Header.Get("Authorization")
+	if auth != cfg.JWTSecret {
+		return false
+	}
+	return true
+}
diff --git a/app/routes.go b/app/routes.go
index 6fe7fad..28f1331 100644
--- a/app/routes.go
+++ b/app/routes.go
@@ -7,11 +7,9 @@ import (
 	"io"
 	"log"
 	"net/http"
-	"strconv"
 )
 
 type AddUserReq struct {
-	Token    string `json:"token"`
 	Username string `json:"username"`
 	Password string `json:"password"`
 }
@@ -28,7 +26,7 @@ func AddUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if req.Token != cfg.JWTSecret {
+	if !CheckToken(r) {
 		WriteError(w, errors.New("token required"))
 		return
 	}
@@ -57,20 +55,20 @@ func AddUser(w http.ResponseWriter, r *http.Request) {
 }
 
 type DeleteUserReq struct {
-	Token string `json:"token"`
-	ID    int    `json:"id"`
+	ID int `json:"id"`
 }
 
 func DeleteUser(w http.ResponseWriter, r *http.Request) {
+	if !CheckToken(r) {
+		WriteError(w, errors.New("token required"))
+		return
+	}
 	req, err := ReadBody[DeleteUserReq](r)
 	if err != nil {
 		WriteError(w, err)
 		return
 	}
-	if req.Token != cfg.JWTSecret {
-		WriteError(w, errors.New("invalid token"))
-		return
-	}
+
 	provider, err := LoadProvider()
 	if err != nil {
 		WriteError(w, err)
@@ -89,19 +87,9 @@ func DeleteUser(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }
 
-type AllUserReq struct {
-	Token string `json:"token"`
-}
-
 func AllUsers(w http.ResponseWriter, r *http.Request) {
 	fmt.Println("AllUsers called")
-	req, err := ReadBody[AllUserReq](r)
-	if err != nil {
-		WriteError(w, err)
-		return
-	}
-
-	if req.Token != cfg.JWTSecret {
+	if !CheckToken(r) {
 		WriteError(w, errors.New("invalid token"))
 		return
 	}
@@ -120,9 +108,7 @@ type GetConnectURLReq struct {
 }
 
 func GetUserURL(w http.ResponseWriter, r *http.Request) {
-	vars := r.URL.Query()
-	idS := vars.Get("id")
-	id, err := strconv.Atoi(idS)
+	req, err := ReadBody[GetConnectURLReq](r)
 	if err != nil {
 		WriteError(w, err)
 		return
@@ -133,11 +119,15 @@ func GetUserURL(w http.ResponseWriter, r *http.Request) {
 		WriteError(w, err)
 		return
 	}
-	user, err := provider.GetById(id)
+	user, err := provider.GetById(req.ID)
 	if err != nil {
 		WriteError(w, err)
 		return
 	}
+	if user.Password != req.Pass {
+		WriteError(w, errors.New("invalid password"))
+		return
+	}
 
 	urlTemplate := "hysteria2://%s@%s:%s?obfs=salamander&obfs-password=%s&type=hysteria&mport&security=tls&sni=%s&alpn=h3&fp=chrome&allowInsecure=0#%s"
 	authString := encodeURL(user)
diff --git a/main.go b/main.go
index 28f117b..900fb18 100644
--- a/main.go
+++ b/main.go
@@ -19,7 +19,7 @@ func main() {
 	r.HandleFunc("/delete", app.DeleteUser)
 	r.HandleFunc("/users", app.AllUsers)
 
-	r.HandleFunc("/connect_url", app.GetUserURL)
+	r.HandleFunc("/connect", app.GetUserURL)
 
 	r.HandleFunc("/auth", app.DoAuth)