You're welcome, it's like a Capture The Flag (; !

It’s a good thing you no longer have a big "Admin Login" button at the top.

That said, you can still just type "state.adminPassword" in the browser console to get the password.

The issue is that the login process seems to be entirely handled by the client.

To put it simply, a website’s code is usually split into two parts:

- Client-side: This is the JavaScript and HTML that runs directly on the visitor’s computer. The visitor can easily view and modify this code from their browser. You should never trust the client, nor use it to store sensitive information, because everything is publicly accessible and editable. LocalStorage and cookies are also stored client-side.

- Server-side: The code can be in various languages like PHP and runs on the server. If your server is secure, the code and data stored there won’t be publicly accessible. This is where the database should be, and it’s also where password verification should happen, so the password never has to be sent to the client.

These two parts communicate via HTTP requests (POST, GET, etc.). The server should never trust what the client sends, because it can be manipulated.

For a login system with VERY BASIC security:

- The user enters their password.

- The password is sent to the server via an HTTP POST request, either using the `fetch` function or an HTML form.

- The server receives the password and compares it to the real one.

- If the password is valid, the server creates an encrypted session variable with a secure token.

This way, the client never receives the password.

Yes, this is a lot to set up for an admin login, not to mention other things like brute-force protection or encryption. But there’s a simpler way to handle authentication without managing it yourself: you can use OAuth, which delegates authentication to a third party like Google or even Nostr.

Unfortunately, there’s another issue. Your site uses Firebase to store data, but the Firebase API key, which grants full access to the database, is stored client-side and is therefore public. So anybody can update and read your Firebase database. I’m not an expert on Firebase, but secrets and databases should always be managed server-side.

It seems like you haven’t written any server-side code, and I don’t think Netlify allows it. So either you make a purely client-side (static) page like you’re doing now, embed the book data directly in the JavaScript, and remove the admin page entirely. Or, the more flexible but also more complex solution: use a server that supports something like PHP, set up your own database or use Firebase properly, and implement either secure authentication or OAuth.

That’s it. I hope this was clear and not too discouraging. I’m not a specialist either, so I might have missed some other options.

Good luck, and if you need help, don’t hesitate to reach out, it’s my pleasure.

(I used automatic translation from french to english, because it's easier for me)