Revert "Added "apiKeyDisabled" setting to bypass API key / loopback checking for those who need it."

This reverts commit 8a7446fb40.
2021-11-13 19:19:54 +00:00 · 2021-11-13 19:19:54 +00:00 · 97ca414fc0
commit 97ca414fc0
parent a9af5bcec4
3 changed files with 0 additions and 38 deletions
--- a/src/main/java/org/qortal/api/ApiService.java
+++ b/src/main/java/org/qortal/api/ApiService.java
@ -14,8 +14,6 @@ import java.security.SecureRandom;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.rewrite.handler.RedirectPatternRule;
 import org.eclipse.jetty.rewrite.handler.RewriteHandler;
@ -52,8 +50,6 @@ import org.qortal.settings.Settings;
 public class ApiService {
 	private static final Logger LOGGER = LogManager.getLogger(ApiService.class);
 	private static ApiService instance;
 	private final ResourceConfig config;
@ -207,9 +203,6 @@ public class ApiService {
 			context.addServlet(TradeBotWebSocket.class, "/websockets/crosschain/tradebot");
 			context.addServlet(PresenceWebSocket.class, "/websockets/presence");
 			// Warn about API security if needed
 			this.checkApiSecurity();
 			// Start server
 			this.server.start();
 		} catch (Exception e) {
@ -229,23 +222,4 @@ public class ApiService {
 		this.server = null;
 	}
 	private void checkApiSecurity() {
 		// Warn about API security if needed
 		boolean allConnectionsAllowed = false;
 		if (Settings.getInstance().isApiKeyDisabled()) {
 			for (String pattern : Settings.getInstance().getApiWhitelist()) {
 				if (pattern.startsWith("0.0.0.0/") || pattern.startsWith("::/") || pattern.endsWith("/0")) {
 					allConnectionsAllowed = true;
 				}
 			}
 			if (allConnectionsAllowed) {
 				LOGGER.warn("Warning: API key validation is currently disabled, and the API whitelist " +
 						"is allowing all connections. This can be a security risk.");
 				LOGGER.warn("To fix, set the apiKeyDisabled setting to false, or allow only specific local " +
 						"IP addresses using the apiWhitelist setting.");
 			}
 		}
 	}
 }
--- a/src/main/java/org/qortal/api/Security.java
+++ b/src/main/java/org/qortal/api/Security.java
@ -12,11 +12,6 @@ public abstract class Security {
 	public static final String API_KEY_HEADER = "X-API-KEY";
 	public static void checkApiCallAllowed(HttpServletRequest request) {
 		// If API key checking has been disabled, we will allow the request in all cases
 		boolean isApiKeyDisabled = Settings.getInstance().isApiKeyDisabled();
 		if (isApiKeyDisabled)
 			return;
 		String expectedApiKey = Settings.getInstance().getApiKey();
 		String passedApiKey = request.getHeader(API_KEY_HEADER);
--- a/src/main/java/org/qortal/settings/Settings.java
+++ b/src/main/java/org/qortal/settings/Settings.java
@ -74,9 +74,6 @@ public class Settings {
 	};
 	private Boolean apiRestricted;
 	private String apiKey = null;
 	/** Whether to disable API key or loopback address checking
 	 * IMPORTANT: do not disable for shared nodes or low-security local networks */
 	private boolean apiKeyDisabled = false;
 	private boolean apiLoggingEnabled = false;
 	private boolean apiDocumentationEnabled = false;
 	// Both of these need to be set for API to use SSL
@ -482,10 +479,6 @@ public class Settings {
 		return this.apiKey;
 	}
 	public boolean isApiKeyDisabled() {
 		return this.apiKeyDisabled;
 	}
 	public boolean isApiLoggingEnabled() {
 		return this.apiLoggingEnabled;
 	}