Add a simple authentification to get stats

[VMois]

If the project is deployed, anyone can go to /stats and query the statistics. If we do not care that our stats are public, it is not a problem. But, in our case, we also have a free plan limit on the amount of reads. Our goal is to use the free plan of Plantscale for small websites. Even with a paid plan, we pay for reads. We want to avoid the possibility of someone unknown refreshing pages many times and exhausting our free plan limit.

Because our solution is aimed at simple, small websites, it is okay to have a simple form of authentication. We only need one user.

I propose to add an env variable with a password, no username. When accessing /stats endpoint, we need to add a password as an Authorization header. On the server side, we calculate the hash of random string (salt) + env with password and compare it to the hash of the same random string and received password from auth header.

We should also consider adding some sort of rate limiting. The only issue is that you can build it Durable Objects and they come in paid plan only.

[VMois]

We can look at the D1 SQL database or KV store for rate limiting. The only issue with both of them is that they are eventually consistent. Meaning we can read old data even after writing a new one. It can lead to issues when number of requests per second is not properly calculated.