Do not accecpt any del cmd for "password" !IMPORTANT!

Prevent unauthorized deletion of the "password" key by checking for a 'del' command targeting it. Previously, a malicious actor could potentially forge a POST request with the 'del' command for the "password" key, leading to the website becoming unreachable. This commit addresses this security vulnerability by explicitly disallowing the deletion of the "password" key. The added check ensures that any attempt to delete this key results in a 500 Internal Server Error response with the appropriate error message. This change is crucial for maintaining the security and accessibility of the website. It is recommended to apply this fix to prevent unauthorized access to sensitive information.

worker.js

@@ -168,16 +168,24 @@ async function handleRequest(request) {
         })
       }
     } else if (req_cmd == "del") {
-      await LINKS.delete(req_key)
-
-      // 计数功能打开的话, 要把计数的那条KV也删掉
-      if (config.visit_count) {
-        await LINKS.delete(req_key + "-count")
-      }
+      // Do not accecpt any del cmd for "password" !IMPORTANT!
+      if (req_key == "password") {
 
-      return new Response(`{"status":200, "key": "` + req_key + `", "error": ""}`, {
-        headers: response_header,
-      })
+        return new Response(`{"status":500, "key": "` + req_key + `", "error":"Error:PROTECTED KEY"}`, {
+          headers: response_header,
+        })
+      } else {
+        await LINKS.delete(req_key)
+
+        // If the counting functionality is enabled, delete the corresponding KV entry for counting
+        if (config.visit_count) {
+          await LINKS.delete(req_key + "-count")
+        }
+
+        return new Response(`{"status":200, "key": "` + req_key + `", "error": ""}`, {
+          headers: response_header,
+        })
+      }
     } else if (req_cmd == "qry") {
       let value = await LINKS.get(req_key)
       if (value != null) {