diff --git a/config_example.json b/config_example.json index 86a1325..846f740 100644 --- a/config_example.json +++ b/config_example.json @@ -71,6 +71,7 @@ "meme_creator": true, "enable_cleanup": false, "enable_data_export": true, + "enable_user_api_keys": true, "cleanup_timeframe_days": 30, "web_url_upload": true, "enable_youtube_upload": true, diff --git a/src/inc/routes/apiv2/settings.mjs b/src/inc/routes/apiv2/settings.mjs index aef053a..f671709 100644 --- a/src/inc/routes/apiv2/settings.mjs +++ b/src/inc/routes/apiv2/settings.mjs @@ -732,6 +732,9 @@ export default router => { // GET /api/v2/settings/api-key // Returns whether the user has an API key, when it was created, and the last 8 chars (masked preview). group.get(/\/api-key$/, lib.loggedin, async (req, res) => { + if (cfg.websrv.enable_user_api_keys === false) { + return res.json({ success: false, msg: 'API keys are disabled' }, 403); + } try { const row = (await db` SELECT api_key, created_at @@ -759,6 +762,9 @@ export default router => { // POST /api/v2/settings/api-key/regenerate // Generates a new key (or replaces an existing one). Returns the full key — only shown once. group.post(/\/api-key\/regenerate$/, lib.loggedin, async (req, res) => { + if (cfg.websrv.enable_user_api_keys === false) { + return res.json({ success: false, msg: 'API keys are disabled' }, 403); + } try { const newKey = crypto.randomBytes(32).toString('hex'); @@ -784,6 +790,9 @@ export default router => { // DELETE /api/v2/settings/api-key // Revokes (deletes) the user's API key. group.delete(/\/api-key$/, lib.loggedin, async (req, res) => { + if (cfg.websrv.enable_user_api_keys === false) { + return res.json({ success: false, msg: 'API keys are disabled' }, 403); + } try { const result = await db` DELETE FROM user_api_keys diff --git a/src/inc/routes/settings.mjs b/src/inc/routes/settings.mjs index e52c2c1..63b928c 100644 --- a/src/inc/routes/settings.mjs +++ b/src/inc/routes/settings.mjs @@ -50,6 +50,7 @@ export default (router, tpl) => { joined: user?.created_at || null, enable_swf: cfg.enable_swf, enable_data_export: cfg.websrv.enable_data_export, + enable_user_api_keys: cfg.websrv.enable_user_api_keys !== false, site_domain: cfg.main.url.domain, session: (req.session && req.session.user) ? { ...req.session } : false, page_meta: { diff --git a/src/upload_handler.mjs b/src/upload_handler.mjs index 3513c88..4ce9018 100644 --- a/src/upload_handler.mjs +++ b/src/upload_handler.mjs @@ -38,7 +38,7 @@ export const handleUpload = async (req, res, self) => { } // Fallback: authenticate via X-Api-Key header (upload-only; no CSRF required) - if (!req.session && req.headers['x-api-key']) { + if (!req.session && req.headers['x-api-key'] && cfg.websrv.enable_user_api_keys !== false) { const key = req.headers['x-api-key']; try { const rows = await db` @@ -108,7 +108,7 @@ export const handleUpload = async (req, res, self) => { const is_oc = (parts.is_oc === 'true' || parts.is_oc === '1'); - const is_shitpost = (parts.is_shitpost === 'true' || parts.is_shitpost === '1'); + const is_shitpost = (parts.is_shitpost === 'true' || parts.is_shitpost === '1') || cfg.websrv.shitpost_mode === true; const maxLen = cfg.main.comment_max_length; if (comment && maxLen !== null && maxLen !== undefined && comment.length > maxLen) { diff --git a/views/settings.html b/views/settings.html index b9edc2d..e3c3233 100644 --- a/views/settings.html +++ b/views/settings.html @@ -407,6 +407,7 @@ @endif + @if(enable_user_api_keys)