fix(core): Block Public API related REST calls when Public API is not enabled

packages/cli/src/PublicApi/index.ts

@@ -153,11 +153,6 @@ export const loadPublicApiVersions = async (
 	};
 };
 
-function isApiEnabledByLicense(): boolean {
-	const license = Container.get(License);
-	return !license.isAPIDisabled();
-}
-
 export function isApiEnabled(): boolean {
-	return !config.get('publicApi.disabled') && isApiEnabledByLicense();
+	return !config.get('publicApi.disabled') && !Container.get(License).isAPIDisabled();
 }

packages/cli/src/controllers/me.controller.ts

@@ -1,6 +1,6 @@
 import validator from 'validator';
 import { plainToInstance } from 'class-transformer';
-import { Response } from 'express';
+import { type RequestHandler, Response } from 'express';
 import { randomBytes } from 'crypto';
 
 import { AuthService } from '@/auth/auth.service';
@@ -22,6 +22,15 @@ import { ExternalHooks } from '@/ExternalHooks';
 import { InternalHooks } from '@/InternalHooks';
 import { BadRequestError } from '@/errors/response-errors/bad-request.error';
 import { UserRepository } from '@/databases/repositories/user.repository';
+import { isApiEnabled } from '@/PublicApi';
+
+export const isApiEnabledMiddleware: RequestHandler = (_, res, next) => {
+	if (isApiEnabled()) {
+		next();
+	} else {
+		res.status(404).end();
+	}
+};
 
 @RestController('/me')
 export class MeController {
@@ -185,7 +194,7 @@ export class MeController {
 	/**
 	 * Creates an API Key
 	 */
-	@Post('/api-key')
+	@Post('/api-key', { middlewares: [isApiEnabledMiddleware] })
 	async createAPIKey(req: AuthenticatedRequest) {
 		const apiKey = `n8n_api_${randomBytes(40).toString('hex')}`;
 
@@ -202,15 +211,15 @@ export class MeController {
 	/**
 	 * Get an API Key
 	 */
-	@Get('/api-key')
+	@Get('/api-key', { middlewares: [isApiEnabledMiddleware] })
 	async getAPIKey(req: AuthenticatedRequest) {
 		return { apiKey: req.user.apiKey };
 	}
 
 	/**
 	 * Deletes an API Key
 	 */
-	@Delete('/api-key')
+	@Delete('/api-key', { middlewares: [isApiEnabledMiddleware] })
 	async deleteAPIKey(req: AuthenticatedRequest) {
 		await this.userService.update(req.user.id, { apiKey: null });
 

packages/cli/src/services/frontend.service.ts

@@ -31,6 +31,7 @@ import type { CommunityPackagesService } from '@/services/communityPackages.serv
 import { Logger } from '@/Logger';
 import { UrlService } from './url.service';
 import { InternalHooks } from '@/InternalHooks';
+import { isApiEnabled } from '@/PublicApi';
 
 @Service()
 export class FrontendService {
@@ -143,7 +144,7 @@ export class FrontendService {
 				},
 			},
 			publicApi: {
-				enabled: !config.get('publicApi.disabled') && !this.license.isAPIDisabled(),
+				enabled: isApiEnabled(),
 				latestVersion: 1,
 				path: config.getEnv('publicApi.path'),
 				swaggerUi: {

packages/cli/test/integration/me.api.test.ts

@@ -1,7 +1,12 @@
+import { Container } from 'typedi';
 import type { SuperAgentTest } from 'supertest';
 import { IsNull } from '@n8n/typeorm';
 import validator from 'validator';
+
 import type { User } from '@db/entities/User';
+import { UserRepository } from '@db/repositories/user.repository';
+import { ProjectRepository } from '@db/repositories/project.repository';
+
 import { SUCCESS_RESPONSE_BODY } from './shared/constants';
 import {
 	randomApiKey,
@@ -13,14 +18,13 @@ import {
 import * as testDb from './shared/testDb';
 import * as utils from './shared/utils/';
 import { addApiKey, createUser, createUserShell } from './shared/db/users';
-import Container from 'typedi';
-import { UserRepository } from '@db/repositories/user.repository';
-import { ProjectRepository } from '@/databases/repositories/project.repository';
+import config from '@/config';
 
 const testServer = utils.setupTestServer({ endpointGroups: ['me'] });
 
 beforeEach(async () => {
 	await testDb.truncate(['User']);
+	config.set('publicApi.disabled', false);
 });
 
 describe('Owner shell', () => {
@@ -151,13 +155,25 @@ describe('Owner shell', () => {
 		expect(storedShellOwner.apiKey).toEqual(response.body.data.apiKey);
 	});
 
+	test('POST /me/api-key 404 when the API is disabled', async () => {
+		config.set('publicApi.disabled', true);
+		const response = await authOwnerShellAgent.post('/me/api-key');
+		expect(response.statusCode).toBe(404);
+	});
+
 	test('GET /me/api-key should fetch the api key', async () => {
 		const response = await authOwnerShellAgent.get('/me/api-key');
 
 		expect(response.statusCode).toBe(200);
 		expect(response.body.data.apiKey).toEqual(ownerShell.apiKey);
 	});
 
+	test('GET /me/api-key should 404 when the API is disabled', async () => {
+		config.set('publicApi.disabled', true);
+		const response = await authOwnerShellAgent.get('/me/api-key');
+		expect(response.statusCode).toBe(404);
+	});
+
 	test('DELETE /me/api-key should fetch the api key', async () => {
 		const response = await authOwnerShellAgent.delete('/me/api-key');