add config option for api keys

This commit is contained in:
2026-05-22 21:20:52 +02:00
parent 013bdce1db
commit fe1a29c2a6
5 changed files with 15 additions and 2 deletions

View File

@@ -732,6 +732,9 @@ export default router => {
// GET /api/v2/settings/api-key
// Returns whether the user has an API key, when it was created, and the last 8 chars (masked preview).
group.get(/\/api-key$/, lib.loggedin, async (req, res) => {
if (cfg.websrv.enable_user_api_keys === false) {
return res.json({ success: false, msg: 'API keys are disabled' }, 403);
}
try {
const row = (await db`
SELECT api_key, created_at
@@ -759,6 +762,9 @@ export default router => {
// POST /api/v2/settings/api-key/regenerate
// Generates a new key (or replaces an existing one). Returns the full key — only shown once.
group.post(/\/api-key\/regenerate$/, lib.loggedin, async (req, res) => {
if (cfg.websrv.enable_user_api_keys === false) {
return res.json({ success: false, msg: 'API keys are disabled' }, 403);
}
try {
const newKey = crypto.randomBytes(32).toString('hex');
@@ -784,6 +790,9 @@ export default router => {
// DELETE /api/v2/settings/api-key
// Revokes (deletes) the user's API key.
group.delete(/\/api-key$/, lib.loggedin, async (req, res) => {
if (cfg.websrv.enable_user_api_keys === false) {
return res.json({ success: false, msg: 'API keys are disabled' }, 403);
}
try {
const result = await db`
DELETE FROM user_api_keys

View File

@@ -50,6 +50,7 @@ export default (router, tpl) => {
joined: user?.created_at || null,
enable_swf: cfg.enable_swf,
enable_data_export: cfg.websrv.enable_data_export,
enable_user_api_keys: cfg.websrv.enable_user_api_keys !== false,
site_domain: cfg.main.url.domain,
session: (req.session && req.session.user) ? { ...req.session } : false,
page_meta: {

View File

@@ -38,7 +38,7 @@ export const handleUpload = async (req, res, self) => {
}
// Fallback: authenticate via X-Api-Key header (upload-only; no CSRF required)
if (!req.session && req.headers['x-api-key']) {
if (!req.session && req.headers['x-api-key'] && cfg.websrv.enable_user_api_keys !== false) {
const key = req.headers['x-api-key'];
try {
const rows = await db`
@@ -108,7 +108,7 @@ export const handleUpload = async (req, res, self) => {
const is_oc = (parts.is_oc === 'true' || parts.is_oc === '1');
const is_shitpost = (parts.is_shitpost === 'true' || parts.is_shitpost === '1');
const is_shitpost = (parts.is_shitpost === 'true' || parts.is_shitpost === '1') || cfg.websrv.shitpost_mode === true;
const maxLen = cfg.main.comment_max_length;
if (comment && maxLen !== null && maxLen !== undefined && comment.length > maxLen) {