From c4ceb7c3f4e4d42d1cdc7d99417cd145edcdaa86 Mon Sep 17 00:00:00 2001
From: Eric Phillips <eric@ewpt3ch.com>
Date: Tue, 5 May 2026 13:19:55 -0600
Subject: [PATCH] fixed wrong status for unauhtorized and log it

---
 TODO.md        | 11 +++++------
 handler_api.go | 12 +++++++++++-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/TODO.md b/TODO.md
index c270cb8..78af9a7 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,16 +1,15 @@
-- Add better logging for errors, filename more deatail
-    - ~package main~
-    - ~internal/cache~
-    - api endpoint to change level
-- implement streaming
-
 - Complete testing
 - Deployment(PKGBUILD, bootstrap script?)
 - More complete sync(refresh packages on schedule with db, prefetch updates to pkgs we already have)
 - clean cache of old files
+- implement streaming
 - Add chi for mux
 - Build server/tool
 - Think about: arch doesn't like partial upgrades, round robin fetching the db files might be an issue
+- ~Add better logging for errors, filename more deatail~
+    - ~package main~
+    - ~internal/cache~
+    - ~api endpoint to change level~
 - ~retry on failed fetch~
 - ~Solve timeout issue large pkgs~
 - ~Move project to github as primary~
diff --git a/handler_api.go b/handler_api.go
index 42e8c9c..ae77ffd 100644
--- a/handler_api.go
+++ b/handler_api.go
@@ -9,7 +9,12 @@ import (
 
 func (s *Server) handlerRefresh(w http.ResponseWriter, req *http.Request) {
 	if req.Header.Get("Authorization") != "Bearer "+s.cfg.Auth.Token {
-		http.Error(w, "unauthorized", http.StatusInternalServerError)
+		ip := req.Header.Get("X-Real-IP")
+		if ip == "" {
+			ip = req.RemoteAddr
+		}
+		slog.Warn("unauthorized request", "ip", ip, "path", req.URL.Path, "method", req.Method)
+		respondWithError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}
 	defer req.Body.Close()
@@ -24,6 +29,11 @@ func (s *Server) handlerRefresh(w http.ResponseWriter, req *http.Request) {
 
 func (s *Server) handlerLogLevel(w http.ResponseWriter, req *http.Request) {
 	if req.Header.Get("Authorization") != "Bearer "+s.cfg.Auth.Token {
+		ip := req.Header.Get("X-Real-IP")
+		if ip == "" {
+			ip = req.RemoteAddr
+		}
+		slog.Warn("unauthorized request", "ip", ip, "path", req.URL.Path, "method", req.Method)
 		respondWithError(w, http.StatusUnauthorized, "unauthorized")
 		return
 	}