zzstoatzz.io
+30
.github/workflows/deploy-moderation.yml
+30
.github/workflows/deploy-moderation.yml
···
1
+
name: deploy moderation
2
+
3
+
on:
4
+
push:
5
+
branches:
6
+
- main
7
+
paths:
8
+
- "moderation/src/**"
9
+
- "moderation/Cargo.toml"
10
+
- "moderation/Cargo.lock"
11
+
- "moderation/Dockerfile"
12
+
- "moderation/fly.toml"
13
+
- ".github/workflows/deploy-moderation.yml"
14
+
workflow_dispatch:
15
+
16
+
jobs:
17
+
deploy:
18
+
name: deploy moderation
19
+
runs-on: ubuntu-latest
20
+
concurrency: deploy-moderation
21
+
steps:
22
+
- uses: actions/checkout@v4
23
+
24
+
- uses: superfly/flyctl-actions/setup-flyctl@master
25
+
26
+
- name: deploy to fly.io
27
+
run: flyctl deploy --config moderation/fly.toml --remote-only -a plyr-moderation
28
+
working-directory: moderation
29
+
env:
30
+
FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN_MODERATION }}
+4
-2
moderation/src/auth.rs
+4
-2
moderation/src/auth.rs
···
12
12
let path = req.uri().path();
13
13
14
14
// Public endpoints - no auth required
15
+
// Note: /admin serves HTML, auth is handled client-side for API calls
15
16
if path == "/"
16
17
|| path == "/health"
18
+
|| path == "/admin"
17
19
|| path.starts_with("/xrpc/com.atproto.label.")
18
20
{
19
21
return Ok(next.run(req).await);
20
22
}
21
23
22
24
let Some(expected_token) = auth_token else {
23
-
warn!("no MODERATION_AUTH_TOKEN set - accepting all requests");
24
-
return Ok(next.run(req).await);
25
+
warn!("no MODERATION_AUTH_TOKEN set - rejecting protected request");
26
+
return Err(StatusCode::SERVICE_UNAVAILABLE);
25
27
};
26
28
27
29
let token = req