Disabling /api and /api/swagger endpoints

[0rzech]

It would be nice, if there were options to disable /api and /api/swagger endpoints.

[lafriks]

What is use case for disabling API?

[0rzech]

When one doesn't want to expose it at all, eg. to reduce attack surface.

[lafriks]

You can use nginx in front of gitea and than disable everything starting with /api

[0rzech]

Yes, but the link to API will remain in footer.

[lafriks]

It will not work anyway ;) not the best option but you can change template if that is really needed

[0rzech]

Yes, but IMHO it's a bit too dirty to change template and server configuration to achieve that.

[lafriks]

Of course option to hide swagger link can be added

[0rzech]

Cool. Thanks for your input.

[lunny]

resolved by #3502

[shuhaowu]

The other PR doesn't actually disable /api, right? Only /api/swagger (which is the documentation endpoint and try it out interface??) is disabled in that PR afaict.

Thus this is not quite resolved with that option. To work around this, you can disable access to /api in the reverse proxy setup link nginx on the node. The /api/internal endpoints should stay unaffected with this because gitea by default tries to build the internal API calls' urls via HTTP_ADDR:HTTP_PORT specified in the settings, which doesn't go through the reverse proxy locally. Just ensure that you only bind with HTTP_ADDR = 127.0.0.1.

[lafriks]

@shuhaowu not true, gitea also uses API for some functionality so it can not be disabled fully without loosing some functionality

[shuhaowu]

Yeah but my work around shouldn't impact it? As I can see in the code, any API calls gitea does uses LocalURL, which is HTTP_ADDR:HTTP_PORT if running in the regular server mode, correct?

[0rzech]

@shuhaowu Gitea front-end uses API as well. You can find it here. Just look for /api occurrences.

[gerroon]

What is use case for disabling API?

I just realized that non users can get user names without signed in, I do not know how this is not a security issue.

Here is from non public repo, using from terminal without any form of login indication. There is not even an API key involved.

curl -X GET "https://DOMAIN/GIT/gc/api/v1/users/search?q=USE" -H  "accept: application/json"


{"data":[{"id":0,"login":"USER","full_name":"","email":"","avatar_url":"https://DOMAIN/GIT/gc/user/avatar/USER/-1","language":"","is_admin":false,"last_login":"0001-01-01T00:00:00Z","created":"2018-05-21T22:45:38-05:00","username":"USER"}],"ok":true}

[techknowlogick]

@gerroon you can get the same information from the webapp itself example: https://try.gitea.io/explore/users

This ticket is closed, if you have a feature request please create a new issue, however disabling the API is not possible as mentioned above the web interface makes use of it.