Disable /admin* endpoints when no adminPass is set

lib/endpoints.js

@@ -55,11 +55,13 @@ app.get('/config.json', (req, res) => {
 });
 
 
-app.get('/admin', (req, res) => {
+app.get('/admin', (req, res, next) => {
+  if(!config.adminPass) return next();
   res.sendFile(path.join(__dirname, '../public/html/admin.html'));
 });
-app.get('/admin/data.json', (req, res) => {
-  if(!config.adminPass || !req.get('x-passwd')) return res.status(401).send('Unauthorized');
+app.get('/admin/data.json', (req, res, next) => {
+  if(!config.adminPass) return next();
+  if(!req.get('x-passwd')) return res.status(401).send('Unauthorized');
   if(req.get('x-passwd') !== config.adminPass) return res.status(403).send('Forbidden');
 
   const result = _.chain(db.db)
@@ -77,7 +79,10 @@ app.get('/admin/data.json', (req, res) => {
     })
     .value();
 
-  res.json(result);
+  // make bruteforce attack more difficult
+  setTimeout(() => {
+    res.json(result);
+  },250);
 });