🔧(backend) add Django setting to disable external API endpoints

Introduce ENABLE_EXTERNAL_API setting (defaults to False) to allow administrators to disable external API endpoints, preventing unintended exposure for self-hosted instances where such endpoints aren't needed or desired.
2025-10-06 19:23:48 +02:00
parent 69a9a07d21
commit 4c6741c905
3 changed files with 17 additions and 8 deletions
--- a/env.d/development/common.dist
+++ b/env.d/development/common.dist
@@ -67,6 +67,7 @@ FRONTEND_USE_FRENCH_GOV_FOOTER=False
 FRONTEND_USE_PROCONNECT_BUTTON=False

 # External Applications
+EXTERNAL_API_ENABLED=True
 APPLICATION_JWT_AUDIENCE=http://localhost:8071/external-api/v1.0/
 APPLICATION_JWT_SECRET_KEY=devKey
 APPLICATION_BASE_URL=http://localhost:3000
--- a/src/backend/core/urls.py
+++ b/src/backend/core/urls.py
@@ -43,12 +43,16 @@ urlpatterns = [
            ]
        ),
    ),
-    path(
-        f"external-api/{settings.EXTERNAL_API_VERSION}/",
-        include(
-            [
-                *external_router.urls,
-            ]
-        ),
-    ),
 ]
+
+if settings.EXTERNAL_API_ENABLED:
+    urlpatterns.append(
+        path(
+            f"external-api/{settings.EXTERNAL_API_VERSION}/",
+            include(
+                [
+                    *external_router.urls,
+                ]
+            ),
+        )
+    )
--- a/src/backend/meet/settings.py
+++ b/src/backend/meet/settings.py
@@ -70,6 +70,9 @@ class Base(Configuration):

    API_VERSION = "v1.0"
    EXTERNAL_API_VERSION = "v1.0"
+    EXTERNAL_API_ENABLED = values.BooleanValue(
+        False, environ_name="EXTERNAL_API_ENABLED", environ_prefix=None
+    )

    DATA_DIR = values.Value(path.join("/", "data"), environ_name="DATA_DIR")

@@ -828,6 +831,7 @@ class Test(Base):
        "django.contrib.auth.hashers.MD5PasswordHasher",
    ]
    USE_SWAGGER = True
+    EXTERNAL_API_ENABLED = True

    CELERY_TASK_ALWAYS_EAGER = values.BooleanValue(True)