🔧(backend) add Django setting to disable external API endpoints

Introduce ENABLE_EXTERNAL_API setting (defaults to False) to allow
administrators to disable external API endpoints, preventing unintended
exposure for self-hosted instances where such endpoints aren't
needed or desired.

env.d/development/common.dist

@@ -67,6 +67,7 @@ FRONTEND_USE_FRENCH_GOV_FOOTER=False
 FRONTEND_USE_PROCONNECT_BUTTON=False
 
 # External Applications
+EXTERNAL_API_ENABLED=True
 APPLICATION_JWT_AUDIENCE=http://localhost:8071/external-api/v1.0/
 APPLICATION_JWT_SECRET_KEY=devKey
 APPLICATION_BASE_URL=http://localhost:3000

src/backend/core/urls.py

@@ -43,12 +43,16 @@ urlpatterns = [
             ]
         ),
     ),
-    path(
-        f"external-api/{settings.EXTERNAL_API_VERSION}/",
-        include(
-            [
-                *external_router.urls,
-            ]
-        ),
-    ),
 ]
+
+if settings.EXTERNAL_API_ENABLED:
+    urlpatterns.append(
+        path(
+            f"external-api/{settings.EXTERNAL_API_VERSION}/",
+            include(
+                [
+                    *external_router.urls,
+                ]
+            ),
+        )
+    )

src/backend/meet/settings.py

@@ -70,6 +70,9 @@ class Base(Configuration):
 
     API_VERSION = "v1.0"
     EXTERNAL_API_VERSION = "v1.0"
+    EXTERNAL_API_ENABLED = values.BooleanValue(
+        False, environ_name="EXTERNAL_API_ENABLED", environ_prefix=None
+    )
 
     DATA_DIR = values.Value(path.join("/", "data"), environ_name="DATA_DIR")
 
@@ -828,6 +831,7 @@ class Test(Base):
         "django.contrib.auth.hashers.MD5PasswordHasher",
     ]
     USE_SWAGGER = True
+    EXTERNAL_API_ENABLED = True
 
     CELERY_TASK_ALWAYS_EAGER = values.BooleanValue(True)