From 1ca9a2083eb7ad8c6ef5a8a3fa796464dfc27ef9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn-Michael=20Miehe?= <jmm@yavook.de>
Date: Wed, 25 Feb 2026 22:50:24 +0100
Subject: [PATCH] =?UTF-8?q?=E2=9E=95=20api:=20admin/credentials:=20only=20?=
 =?UTF-8?q?allow=20certain=20"name"=20values?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 api/advent22_api/routers/admin.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/api/advent22_api/routers/admin.py b/api/advent22_api/routers/admin.py
index 931d32e..184b290 100644
--- a/api/advent22_api/routers/admin.py
+++ b/api/advent22_api/routers/admin.py
@@ -1,6 +1,7 @@
 from datetime import date
+from enum import Enum
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, status
 from pydantic import BaseModel
 
 from advent22_api.core.helpers import EventDates
@@ -173,16 +174,21 @@ async def put_doors(
     await cal_cfg.change(cfg)
 
 
+class CredentialsName(str, Enum):
+    DAV = "dav"
+    UI = "ui"
+
+
 @router.get("/credentials/{name}")
 async def get_credentials(
-    name: str,
+    name: CredentialsName,
     _: None = Depends(require_admin),
     cfg: Config = Depends(get_config),
 ) -> Credentials:
 
-    if name == "dav":
+    if name == CredentialsName.DAV:
         return SETTINGS.webdav.auth
-    elif name == "ui":
+    elif name == CredentialsName.UI:
         return cfg.admin
     else:
-        return Credentials()
+        raise HTTPException(status.HTTP_400_BAD_REQUEST)