Revert "Added "apiKeyDisabled" setting to bypass API key / loopback checking for those who need it."

This reverts commit 8a7446fb40.
3 years ago · 97ca414fc0
3 changed files with 0 additions and 38 deletions
--- a/src/main/java/org/qortal/api/ApiService.java
+++ b/src/main/java/org/qortal/api/ApiService.java
@ -14,8 +14,6 @@ import java.security.SecureRandom;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;

-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.rewrite.handler.RedirectPatternRule;
 import org.eclipse.jetty.rewrite.handler.RewriteHandler;
@ -52,8 +50,6 @@ import org.qortal.settings.Settings;

 public class ApiService {

-	private static final Logger LOGGER = LogManager.getLogger(ApiService.class);
-
 	private static ApiService instance;

 	private final ResourceConfig config;
@ -207,9 +203,6 @@ public class ApiService {
 			context.addServlet(TradeBotWebSocket.class, "/websockets/crosschain/tradebot");
 			context.addServlet(PresenceWebSocket.class, "/websockets/presence");

-			// Warn about API security if needed
-			this.checkApiSecurity();
-
 			// Start server
 			this.server.start();
 		} catch (Exception e) {
@ -229,23 +222,4 @@ public class ApiService {
 		this.server = null;
 	}

-	private void checkApiSecurity() {
-		// Warn about API security if needed
-		boolean allConnectionsAllowed = false;
-		if (Settings.getInstance().isApiKeyDisabled()) {
-			for (String pattern : Settings.getInstance().getApiWhitelist()) {
-				if (pattern.startsWith("0.0.0.0/") || pattern.startsWith("::/") || pattern.endsWith("/0")) {
-					allConnectionsAllowed = true;
-				}
-			}
-
-			if (allConnectionsAllowed) {
-				LOGGER.warn("Warning: API key validation is currently disabled, and the API whitelist " +
-						"is allowing all connections. This can be a security risk.");
-				LOGGER.warn("To fix, set the apiKeyDisabled setting to false, or allow only specific local " +
-						"IP addresses using the apiWhitelist setting.");
-			}
-		}
-	}
-
 }
--- a/src/main/java/org/qortal/api/Security.java
+++ b/src/main/java/org/qortal/api/Security.java
@ -12,11 +12,6 @@ public abstract class Security {
 	public static final String API_KEY_HEADER = "X-API-KEY";

 	public static void checkApiCallAllowed(HttpServletRequest request) {
-		// If API key checking has been disabled, we will allow the request in all cases
-		boolean isApiKeyDisabled = Settings.getInstance().isApiKeyDisabled();
-		if (isApiKeyDisabled)
-			return;
-
 		String expectedApiKey = Settings.getInstance().getApiKey();
 		String passedApiKey = request.getHeader(API_KEY_HEADER);

--- a/src/main/java/org/qortal/settings/Settings.java
+++ b/src/main/java/org/qortal/settings/Settings.java
@ -74,9 +74,6 @@ public class Settings {
 	};
 	private Boolean apiRestricted;
 	private String apiKey = null;
-	/** Whether to disable API key or loopback address checking
-	 * IMPORTANT: do not disable for shared nodes or low-security local networks */
-	private boolean apiKeyDisabled = false;
 	private boolean apiLoggingEnabled = false;
 	private boolean apiDocumentationEnabled = false;
 	// Both of these need to be set for API to use SSL
@ -482,10 +479,6 @@ public class Settings {
 		return this.apiKey;
 	}

-	public boolean isApiKeyDisabled() {
-		return this.apiKeyDisabled;
-	}
-
 	public boolean isApiLoggingEnabled() {
 		return this.apiLoggingEnabled;
 	}