fix: restore API token functionality when auth is disabled

- API tokens now work even when DISABLE_AUTH is set - Added API token section back to Security tab in settings - API tokens can protect API access for automation while keeping UI open - Invalid tokens are rejected even with auth disabled - Export/import endpoints still require valid API token
2026-05-22 03:02:35 +00:00 · 2025-08-21 12:26:08 +00:00 · 2025-08-21 12:26:08 +00:00 · d6a072f0c3
commit d6a072f0c3
parent 93c881eb27
3 changed files with 45 additions and 8 deletions
--- a/frontend-modern/src/components/Settings/Settings.tsx
+++ b/frontend-modern/src/components/Settings/Settings.tsx
@ -1667,10 +1667,8 @@ const Settings: Component = () => {
              
              {/* Security setup now handled by first-run wizard */}

-              {/* Removed confusing API Token section when no auth exists - API is already open */}
-
-              {/* API Token - Show current token when auth is enabled */}
-              <Show when={!securityStatusLoading() && securityStatus()?.hasAuthentication && securityStatus()?.apiTokenConfigured}>
+              {/* API Token - Show always to allow API access even when auth is disabled */}
+              <Show when={!securityStatusLoading()}>
                <div class="bg-white dark:bg-gray-800 rounded-lg border border-gray-200 dark:border-gray-700 overflow-hidden">
                  {/* Header */}
                  <div class="bg-gradient-to-r from-blue-50 to-indigo-50 dark:from-blue-900/20 dark:to-indigo-900/20 px-6 py-4 border-b border-gray-200 dark:border-gray-700">
@ -1689,6 +1687,14 @@ const Settings: Component = () => {
                  
                  {/* Content */}
                  <div class="p-6">
+                    {/* Show explanation when auth is disabled */}
+                    <Show when={!securityStatus()?.hasAuthentication}>
+                      <div class="mb-4 p-3 bg-blue-50 dark:bg-blue-900/20 border border-blue-200 dark:border-blue-800 rounded-lg">
+                        <p class="text-xs text-blue-800 dark:text-blue-200">
+                          <strong>API Access Control:</strong> Even though authentication is disabled, you can still use API tokens to protect API access for automation and integrations.
+                        </p>
+                      </div>
+                    </Show>
                    <GenerateAPIToken currentTokenHint={securityStatus()?.apiTokenHint} />
                  </div>
                </div>
--- a/internal/api/router.go
+++ b/internal/api/router.go
@ -214,10 +214,19 @@ func (r *Router) setupRoutes() {
 			
 			// Check if auth is globally disabled
 			if r.config.DisableAuth {
+				// Even with auth disabled, report API token status for API access
+				var apiTokenHint string
+				if r.config.APIToken != "" && len(r.config.APIToken) >= 8 {
+					apiTokenHint = r.config.APIToken[:4] + "..." + r.config.APIToken[len(r.config.APIToken)-4:]
+				}
+				
 				json.NewEncoder(w).Encode(map[string]interface{}{
 					"configured": false,
 					"disabled": true,
 					"message": "Authentication is disabled via DISABLE_AUTH environment variable",
+					"apiTokenConfigured": r.config.APIToken != "",
+					"apiTokenHint": apiTokenHint,
+					"hasAuthentication": false,
 				})
 				return
 			}
@ -674,9 +683,30 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	needsAuth := true
 	
 	// Check if auth is globally disabled
+	// BUT still check for API tokens if provided (for API access when auth is disabled)
 	if r.config.DisableAuth {
-		needsAuth = false
-		w.Header().Set("X-Auth-Disabled", "true")
+		// Check if an API token was provided
+		providedToken := req.Header.Get("X-API-Token")
+		if providedToken == "" {
+			providedToken = req.URL.Query().Get("token")
+		}
+		
+		// If a valid API token is provided, allow access even with DisableAuth
+		if providedToken != "" && r.config.APIToken != "" {
+			if auth.CompareAPIToken(providedToken, r.config.APIToken) {
+				// Valid API token provided, allow access
+				needsAuth = false
+				w.Header().Set("X-Auth-Method", "api-token")
+			} else {
+				// Invalid API token - reject even with DisableAuth
+				http.Error(w, "Invalid API token", http.StatusUnauthorized)
+				return
+			}
+		} else {
+			// No API token provided with DisableAuth - allow open access
+			needsAuth = false
+			w.Header().Set("X-Auth-Disabled", "true")
+		}
 	}
 	
 	// Recovery mechanism: Check if recovery mode is enabled
--- a/internal/api/security_setup_fix.go
+++ b/internal/api/security_setup_fix.go
@ -340,9 +340,10 @@ ENABLE_AUDIT_LOG=true

 // HandleRegenerateAPIToken generates a new API token and updates the .env file
 func (r *Router) HandleRegenerateAPIToken(w http.ResponseWriter, rq *http.Request) {
-	// Only require authentication if auth is already configured
+	// Only require authentication if auth is already configured AND not disabled
 	// This allows users to set up API-only access without password auth
-	if (r.config.AuthUser != "" || r.config.AuthPass != "") && !CheckAuth(r.config, w, rq) {
+	// When auth is disabled, allow API token generation for API-only access
+	if !r.config.DisableAuth && (r.config.AuthUser != "" || r.config.AuthPass != "") && !CheckAuth(r.config, w, rq) {
 		return
 	}