Add Basic Auth middleware to protect UI

server.js

@@ -23,7 +23,31 @@ const port = process.env.PORT || 3000;
 app.use(cors());
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: true }));
-app.use(express.static('public')); // Serve the embed.js script
+
+// Basic Auth for UI Protection
+app.use((req, res, next) => {
+  // Always permit the API and integration scripts
+  if (req.path.startsWith('/api/') || req.path === '/embed.js' || req.path === '/live-site-integration.js') {
+    return next();
+  }
+
+  // For HTML pages and other assets, require a password
+  const b64auth = (req.headers.authorization || '').split(' ')[1] || '';
+  const [login, password] = Buffer.from(b64auth, 'base64').toString().split(':');
+
+  // Let them use 'admin' as the username, and the SMTP password (or fallback to 'admin' if not deployed yet)
+  const expectedPassword = process.env.UI_PASSWORD || process.env.SMTP_PASS || 'admin';
+
+  // We allow 'admin' user or ANY user as long as the password matches. Browsers usually prompt for both.
+  if (password === expectedPassword) {
+    return next();
+  }
+
+  res.set('WWW-Authenticate', 'Basic realm="Restricted WallAPI Space"');
+  res.status(401).send('Authentication required. Username: admin. Password matches your SMTP_PASS Secret (or "admin" if not set).');
+});
+
+app.use(express.static('public')); // Serve the frontend assets
 
 // Google Sheets Setup
 const SCOPES = ['https://www.googleapis.com/auth/spreadsheets'];