Update app.py

app.py

@@ -35,15 +35,25 @@ ADMIN_CONFIG_FILE = os.path.join(DATA_ROOT, "admin_config.json")
 os.makedirs(VIDEO_DIR, exist_ok=True)
 
 # ==================================================
-# ADMIN AUTH (PIN)
+# ADMIN AUTH (ENV ONLY)
 # ==================================================
-ADMIN_PIN = os.environ.get("ADMIN_PIN", "4286")  # CHANGE THIS
+ADMIN_KEY = os.environ.get("ADMIN_KEY")  # REQUIRED (no default; code can be public)
 ADMIN_COOKIE = "admin_session"
 ADMIN_SESSIONS = set()
 
+def admin_enabled() -> bool:
+    return bool(ADMIN_KEY and str(ADMIN_KEY).strip())
+
 def is_admin(req: Request) -> bool:
     return req.cookies.get(ADMIN_COOKIE) in ADMIN_SESSIONS
 
+def secure_equals(a: str, b: str) -> bool:
+    # constant-time compare
+    try:
+        return secrets.compare_digest(a.encode("utf-8"), b.encode("utf-8"))
+    except Exception:
+        return False
+
 # ==================================================
 # DEFAULT ALBUM MAPS (used only if admin_config.json missing)
 # ==================================================
@@ -65,12 +75,11 @@ DEFAULT_ALBUM_CATEGORIES = {
     "B2c5ON9t3uz8kT7": "Cole Content Creator",
 }
 
-# In-memory config (loaded at startup)
 ALBUM_PUBLISHERS = dict(DEFAULT_ALBUM_PUBLISHERS)
 ALBUM_CATEGORIES = dict(DEFAULT_ALBUM_CATEGORIES)
 
 # ==================================================
-# LOCKS (avoid index.json corruption)
+# LOCKS (avoid json corruption)
 # ==================================================
 INDEX_LOCK = asyncio.Lock()
 CONFIG_LOCK = asyncio.Lock()
@@ -128,7 +137,7 @@ async def refresh_album_maps_from_disk():
     ALBUM_CATEGORIES = dict(cfg.get("album_categories", {}))
 
 # ==================================================
-# BACKFILL CATEGORIES/PUBLISHERS (fix old cached entries)
+# BACKFILL CATEGORIES/PUBLISHERS
 # ==================================================
 async def backfill_index_categories():
     try:
@@ -141,12 +150,10 @@ async def backfill_index_categories():
                 correct_category = ALBUM_CATEGORIES.get(token, "Uncategorized")
                 correct_publisher = ALBUM_PUBLISHERS.get(token, "Unknown")
 
-                # Fix publisher if missing
                 if v.get("publisher") in (None, "", "Unknown") and correct_publisher != "Unknown":
                     v["publisher"] = correct_publisher
                     changed = True
 
-                # Fix category if missing or wrong
                 if v.get("category") in (None, "", v.get("publisher")) or v.get("category") != correct_category:
                     v["category"] = correct_category
                     changed = True
@@ -180,7 +187,6 @@ ICLOUD_HEADERS = {
 ICLOUD_PAYLOAD = '{"streamCtag":null}'
 
 async def get_base_url(token: str) -> str:
-    # Keep your original logic
     if token and token[0] == "A":
         n = base62_to_int(token[1])
     else:
@@ -246,7 +252,6 @@ async def poll_album(token: str):
     guids = [p["photoGuid"] for p in metadata]
     assets = await get_asset_urls(base_url, guids)
 
-    # Snapshot known IDs under lock (so we don't race writes)
     async with INDEX_LOCK:
         index = load_index_sync()
         known = {v["id"] for v in index.get("videos", [])}
@@ -314,11 +319,10 @@ async def poll_album(token: str):
             save_index_sync(idx)
 
 # ==================================================
-# STARTUP: LOAD CONFIG + BACKFILL + START POLLER
+# STARTUP
 # ==================================================
 @app.on_event("startup")
 async def start_polling():
-    # Ensure config exists
     if not os.path.exists(ADMIN_CONFIG_FILE):
         save_admin_config_sync({
             "album_publishers": dict(DEFAULT_ALBUM_PUBLISHERS),
@@ -328,9 +332,11 @@ async def start_polling():
     await refresh_album_maps_from_disk()
     await backfill_index_categories()
 
+    if not admin_enabled():
+        logging.warning("ADMIN_KEY is not set. Admin panel is disabled until you set ADMIN_KEY.")
+
     async def loop():
         while True:
-            # Iterate dynamic albums from config
             tokens = list(ALBUM_PUBLISHERS.keys())
             for token in tokens:
                 try:
@@ -350,7 +356,7 @@ async def get_video_feed():
         return load_index_sync()
 
 # ==================================================
-# LEGACY ENDPOINTS (unchanged)
+# LEGACY ENDPOINTS
 # ==================================================
 @app.get("/album/{token}")
 async def legacy_album(token: str):
@@ -399,7 +405,12 @@ async def legacy_album_raw(token: str):
 # ==================================================
 @app.get("/admin/login", response_class=HTMLResponse)
 async def admin_login_page():
-    # No f-string here -> no brace issues
+    if not admin_enabled():
+        return HTMLResponse(
+            "<h3>Admin disabled</h3><p>Set environment variable <code>ADMIN_KEY</code> to enable.</p>",
+            status_code=503
+        )
+
     return """
     <html>
       <head>
@@ -411,22 +422,27 @@ async def admin_login_page():
           input, button { width:100%; padding:12px; font-size:16px; border-radius:10px; border:1px solid #333; background:#0f0f0f; color:#fff; }
           button { background:#2a2a2a; cursor:pointer; margin-top:10px; }
           button:hover { background:#3a3a3a; }
+          .small { font-size:12px; opacity:0.8; margin-top:10px; }
         </style>
       </head>
       <body>
         <form class="card" method="post">
           <h2 style="margin:0 0 10px 0;">Admin Panel</h2>
-          <input type="password" name="pin" placeholder="PIN" autofocus />
+          <input type="password" name="key" placeholder="ADMIN_KEY" autofocus />
           <button type="submit">Enter</button>
+          <div class="small">This requires <code>ADMIN_KEY</code> env var set on the server.</div>
         </form>
       </body>
     </html>
     """
 
 @app.post("/admin/login")
-async def admin_login(pin: str = Form(...)):
-    if pin != ADMIN_PIN:
-        return HTMLResponse("Wrong PIN", status_code=401)
+async def admin_login(key: str = Form(...)):
+    if not admin_enabled():
+        return HTMLResponse("Admin disabled (ADMIN_KEY not set)", status_code=503)
+
+    if not secure_equals(str(key).strip(), str(ADMIN_KEY).strip()):
+        return HTMLResponse("Wrong key", status_code=401)
 
     session = secrets.token_hex(16)
     ADMIN_SESSIONS.add(session)
@@ -445,7 +461,7 @@ async def admin_logout(req: Request):
     return resp
 
 # ==================================================
-# ADMIN: DASHBOARD (VIDEOS + ALBUMS)
+# ADMIN UI TEMPLATE
 # ==================================================
 def esc(v) -> str:
     return html_escape_lib.escape("" if v is None else str(v), quote=True)
@@ -468,6 +484,8 @@ ADMIN_TEMPLATE = """
       input { width:100%; padding:8px; border-radius:10px; border:1px solid #333; background:#0f0f0f; color:#fff; }
       button { padding:10px 12px; border-radius:10px; border:1px solid #333; background:#2a2a2a; color:#fff; cursor:pointer; }
       button:hover { background:#3a3a3a; }
+      .danger { background:#3a1d1d; border-color:#6a2a2a; }
+      .danger:hover { background:#5a2424; }
       .small { font-size:12px; opacity:0.85; }
       .grid2 { display:grid; grid-template-columns: 1fr 1fr; gap:10px; }
       @media (max-width: 900px) { .grid2 { grid-template-columns: 1fr; } }
@@ -476,7 +494,7 @@ ADMIN_TEMPLATE = """
   <body>
     <div class="row">
       <h1 style="margin-right:auto;">Admin</h1>
-      <span class="pill">PIN session active</span>
+      <span class="pill">Session active</span>
       <a href="/admin/logout" class="pill">Logout</a>
     </div>
 
@@ -509,17 +527,20 @@ ADMIN_TEMPLATE = """
 
     <div class="card">
       <h2 style="margin:0 0 8px 0;">Videos</h2>
-      <div class="small">Edits save to index.json instantly on field change.</div>
+      <div class="small">
+        Thumbnail supports either a local path like <code>/media/TOKEN/ID.jpg</code> or a full URL like <code>https://...</code>
+      </div>
       <table>
         <thead>
           <tr>
-            <th style="width:13%;">ID</th>
-            <th style="width:16%;">Name</th>
+            <th style="width:12%;">ID</th>
+            <th style="width:14%;">Name</th>
             <th style="width:16%;">Upload Date</th>
             <th style="width:10%;">Category</th>
             <th style="width:12%;">Publisher</th>
             <th style="width:18%;">Thumbnail</th>
-            <th style="width:15%;">Source Album</th>
+            <th style="width:13%;">Source Album</th>
+            <th style="width:5%;">Action</th>
           </tr>
         </thead>
         <tbody>
@@ -543,11 +564,11 @@ ADMIN_TEMPLATE = """
         const t = e.target;
         if (!t || !t.dataset || !t.dataset.id) return;
 
-        const id = t.dataset.id;
-        const field = t.dataset.field;
-        const value = t.value;
-
-        await postJSON("/admin/update", { id, field, value });
+        await postJSON("/admin/update", {
+          id: t.dataset.id,
+          field: t.dataset.field,
+          value: t.value
+        });
       });
 
       // autosave album fields
@@ -555,11 +576,11 @@ ADMIN_TEMPLATE = """
         const t = e.target;
         if (!t || !t.dataset || !t.dataset.album) return;
 
-        const token = t.dataset.album;
-        const field = t.dataset.field;
-        const value = t.value;
-
-        await postJSON("/admin/albums/update", { token, field, value });
+        await postJSON("/admin/albums/update", {
+          token: t.dataset.album,
+          field: t.dataset.field,
+          value: t.value
+        });
       });
 
       async function addAlbum() {
@@ -572,13 +593,25 @@ ADMIN_TEMPLATE = """
         if (out && out.ok) location.reload();
         else alert(out.error || "failed");
       }
+
+      async function deleteVideo(id) {
+        if (!confirm("Delete this video? This removes it from the feed and deletes local files if present.")) return;
+        const out = await postJSON("/admin/videos/delete", { id });
+        if (out && out.ok) location.reload();
+        else alert(out.error || "failed");
+      }
     </script>
   </body>
 </html>
 """
 
+# ==================================================
+# ADMIN: DASHBOARD
+# ==================================================
 @app.get("/admin", response_class=HTMLResponse)
 async def admin_dashboard(req: Request):
+    if not admin_enabled():
+        return HTMLResponse("Admin disabled (ADMIN_KEY not set)", status_code=503)
     if not is_admin(req):
         return RedirectResponse("/admin/login", status_code=302)
 
@@ -586,7 +619,6 @@ async def admin_dashboard(req: Request):
         idx = load_index_sync()
     cfg = await load_admin_config()
 
-    # Build album rows
     ap = cfg.get("album_publishers", {})
     ac = cfg.get("album_categories", {})
     album_tokens = sorted(set(ap.keys()) | set(ac.keys()))
@@ -601,7 +633,6 @@ async def admin_dashboard(req: Request):
             "</tr>"
         )
 
-    # Build video rows
     video_rows = ""
     for v in idx.get("videos", []):
         vid = esc(v.get("id", ""))
@@ -612,8 +643,9 @@ async def admin_dashboard(req: Request):
             f"<td><input data-id=\"{vid}\" data-field=\"upload_date\" value=\"{esc(v.get('upload_date',''))}\"></td>"
             f"<td><input data-id=\"{vid}\" data-field=\"category\" value=\"{esc(v.get('category',''))}\"></td>"
             f"<td><input data-id=\"{vid}\" data-field=\"publisher\" value=\"{esc(v.get('publisher',''))}\"></td>"
-            f"<td><input data-id=\"{vid}\" data-field=\"thumbnail\" value=\"{esc(v.get('thumbnail',''))}\"></td>"
+            f"<td><input data-id=\"{vid}\" data-field=\"thumbnail\" value=\"{esc(v.get('thumbnail',''))}\" placeholder=\"/media/TOKEN/ID.jpg or https://...\"></td>"
             f"<td><input data-id=\"{vid}\" data-field=\"source_album\" value=\"{esc(v.get('source_album',''))}\"></td>"
+            f"<td><button class=\"danger\" onclick=\"deleteVideo('{vid}')\">Del</button></td>"
             "</tr>"
         )
 
@@ -623,14 +655,12 @@ async def admin_dashboard(req: Request):
 # ==================================================
 # ADMIN: UPDATE VIDEO METADATA
 # ==================================================
-ALLOWED_VIDEO_FIELDS = {
-    "name", "upload_date", "category", "publisher", "thumbnail", "source_album",
-    # (Optional) allow these if you want:
-    # "video_url",
-}
+ALLOWED_VIDEO_FIELDS = {"name", "upload_date", "category", "publisher", "thumbnail", "source_album"}
 
 @app.post("/admin/update")
 async def admin_update(req: Request, payload: dict):
+    if not admin_enabled():
+        return JSONResponse({"error": "admin disabled"}, status_code=503)
     if not is_admin(req):
         return JSONResponse({"error": "unauthorized"}, status_code=403)
 
@@ -651,25 +681,73 @@ async def admin_update(req: Request, payload: dict):
 
     return JSONResponse({"error": "video not found"}, status_code=404)
 
+# ==================================================
+# ADMIN: DELETE VIDEO (index + local files)
+# ==================================================
+def _safe_remove_file(path: str):
+    try:
+        if path and os.path.isfile(path):
+            os.remove(path)
+    except Exception:
+        logging.exception(f"Failed to remove file: {path}")
+
+@app.post("/admin/videos/delete")
+async def admin_delete_video(req: Request, payload: dict):
+    if not admin_enabled():
+        return JSONResponse({"error": "admin disabled"}, status_code=503)
+    if not is_admin(req):
+        return JSONResponse({"error": "unauthorized"}, status_code=403)
+
+    vid = str(payload.get("id", "")).strip()
+    if not vid:
+        return JSONResponse({"error": "id required"}, status_code=400)
+
+    async with INDEX_LOCK:
+        idx = load_index_sync()
+        videos = idx.get("videos", [])
+
+        target = None
+        for v in videos:
+            if v.get("id") == vid:
+                target = v
+                break
+
+        if not target:
+            return JSONResponse({"error": "video not found"}, status_code=404)
+
+        # Delete local files if they exist
+        token = target.get("source_album", "")
+        if token:
+            mp4_path = os.path.join(VIDEO_DIR, token, f"{vid}.mp4")
+            jpg_path = os.path.join(VIDEO_DIR, token, f"{vid}.jpg")
+            _safe_remove_file(mp4_path)
+            _safe_remove_file(jpg_path)
+
+        # Remove from index
+        idx["videos"] = [v for v in videos if v.get("id") != vid]
+        save_index_sync(idx)
+
+    return {"ok": True}
+
 # ==================================================
 # ADMIN: ALBUM MANAGEMENT (persisted)
 # ==================================================
 @app.post("/admin/albums/add")
 async def admin_albums_add(req: Request, payload: dict):
+    if not admin_enabled():
+        return JSONResponse({"error": "admin disabled"}, status_code=503)
     if not is_admin(req):
         return JSONResponse({"error": "unauthorized"}, status_code=403)
 
     token = str(payload.get("token", "")).strip()
     publisher = str(payload.get("publisher", "")).strip() or "Unknown"
     category = str(payload.get("category", "")).strip() or "Uncategorized"
-
     if not token:
         return JSONResponse({"error": "token required"}, status_code=400)
 
     cfg = await load_admin_config()
     cfg.setdefault("album_publishers", {})
     cfg.setdefault("album_categories", {})
-
     cfg["album_publishers"][token] = publisher
     cfg["album_categories"][token] = category
 
@@ -681,6 +759,8 @@ async def admin_albums_add(req: Request, payload: dict):
 
 @app.post("/admin/albums/update")
 async def admin_albums_update(req: Request, payload: dict):
+    if not admin_enabled():
+        return JSONResponse({"error": "admin disabled"}, status_code=503)
     if not is_admin(req):
         return JSONResponse({"error": "unauthorized"}, status_code=403)