Enforce access code for control APIs

app.py

@@ -20,6 +20,7 @@
 BACKGROUND_EFFECT = os.getenv("FPP_BACKGROUND_EFFECT", "background")
 POLL_INTERVAL_SECONDS = max(5, int(os.getenv("FPP_POLL_INTERVAL_MS", "15000")) // 1000)
 REQUEST_TIMEOUT = 8
+ACCESS_CODE = os.getenv("ACCESS_CODE", "").strip()
 
 state_lock = threading.RLock()
 state: Dict[str, Any] = {
@@ -119,6 +120,26 @@ def compute_locks(status: Dict[str, Any], queue: List[Dict[str, Any]], current_r
     }
 
 
+def enforce_access_code(payload: Optional[Dict[str, Any]] = None):
+    if not ACCESS_CODE:
+        return None
+
+    provided_code = (
+        request.headers.get("X-Access-Code")
+        or request.headers.get("X-Access-Token")
+        or request.args.get("accessCode")
+        or request.args.get("access_code")
+    )
+
+    if provided_code is None and payload:
+        provided_code = payload.get("accessCode") or payload.get("access_code")
+
+    if provided_code == ACCESS_CODE:
+        return None
+
+    return jsonify({"ok": False, "message": "Access code required."}), 403
+
+
 def fetch_fpp_status() -> Dict[str, Any]:
     resp = requests.get(f"{FPP_BASE_URL}/api/fppd/status", timeout=REQUEST_TIMEOUT)
     resp.raise_for_status()
@@ -458,6 +479,9 @@ def api_state():
 @app.route("/api/show", methods=["POST"])
 def api_show():
     payload = request.get_json(force=True, silent=True) or {}
+    denied = enforce_access_code(payload)
+    if denied:
+        return denied
     kind = payload.get("type", "show")
     playlist = PLAYLIST_KIDS if kind == "kids" else PLAYLIST_SHOW
     with state_lock:
@@ -565,6 +589,9 @@ def api_requests_songs():
 @app.route("/api/requests", methods=["POST"])
 def api_requests():
     payload = request.get_json(force=True, silent=True) or {}
+    denied = enforce_access_code(payload)
+    if denied:
+        return denied
     title = payload.get("song")
     sequence_name = payload.get("sequenceName")
     media_name = payload.get("mediaName")

index.html

@@ -78,6 +78,11 @@ <h3>Warteschlange</h3>
     let countdownTimer;
     let pollHandle;
 
+    function authHeaders() {
+      if (!accessCode) return {};
+      return { 'X-Access-Code': accessCode };
+    }
+
     headline.textContent = `${config.siteName || 'FPP Lichtershow'}`;
     subtitle.textContent = config.siteSubtitle || 'Fernsteuerung für den Falcon Player';
 
@@ -248,7 +253,7 @@ <h3>Warteschlange</h3>
       try {
         const response = await fetch('/api/show', {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: { 'Content-Type': 'application/json', ...authHeaders() },
           body: JSON.stringify({ type })
         });
         if (!response.ok) throw new Error(`HTTP ${response.status}`);

requests.html

@@ -59,6 +59,11 @@ <h2>Verfügbare Lieder</h2>
       window.location.href = '/';
     }
 
+    function authHeaders() {
+      if (!accessCode) return {};
+      return { 'X-Access-Code': accessCode };
+    }
+
     function markStatus(type, text) {
       statusBox.classList.remove('running', 'error');
       if (type) statusBox.classList.add(type);
@@ -108,7 +113,7 @@ <h2>Verfügbare Lieder</h2>
         return;
       }
       try {
-        const response = await fetch('/api/requests/songs');
+        const response = await fetch('/api/requests/songs', { headers: authHeaders() });
         if (!response.ok) throw new Error(`HTTP ${response.status}`);
         const data = await response.json();
         const songs = data.songs || [];
@@ -169,7 +174,7 @@ <h2>Verfügbare Lieder</h2>
         markStatus('', `Wunsch "${title}" wird eingeplant …`);
         const response = await fetch('/api/requests', {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: { 'Content-Type': 'application/json', ...authHeaders() },
           body: JSON.stringify({ song: title, sequenceName, mediaName, duration })
         });
         if (!response.ok) throw new Error(`HTTP ${response.status}`);