From d6a072f0c3862adbc5ed7da431bae798e59fdeb9 Mon Sep 17 00:00:00 2001
From: Pulse Monitor <pulse@pulse-monitor.dev>
Date: Thu, 21 Aug 2025 12:26:08 +0000
Subject: [PATCH] fix: restore API token functionality when auth is disabled

- API tokens now work even when DISABLE_AUTH is set
- Added API token section back to Security tab in settings
- API tokens can protect API access for automation while keeping UI open
- Invalid tokens are rejected even with auth disabled
- Export/import endpoints still require valid API token
---
 .../src/components/Settings/Settings.tsx      | 14 +++++---
 internal/api/router.go                        | 34 +++++++++++++++++--
 internal/api/security_setup_fix.go            |  5 +--
 3 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/frontend-modern/src/components/Settings/Settings.tsx b/frontend-modern/src/components/Settings/Settings.tsx
index 8b0c7a248..771831479 100644
--- a/frontend-modern/src/components/Settings/Settings.tsx
+++ b/frontend-modern/src/components/Settings/Settings.tsx
@@ -1667,10 +1667,8 @@ const Settings: Component = () => {
               
               {/* Security setup now handled by first-run wizard */}
 
-              {/* Removed confusing API Token section when no auth exists - API is already open */}
-
-              {/* API Token - Show current token when auth is enabled */}
-              <Show when={!securityStatusLoading() && securityStatus()?.hasAuthentication && securityStatus()?.apiTokenConfigured}>
+              {/* API Token - Show always to allow API access even when auth is disabled */}
+              <Show when={!securityStatusLoading()}>
                 <div class="bg-white dark:bg-gray-800 rounded-lg border border-gray-200 dark:border-gray-700 overflow-hidden">
                   {/* Header */}
                   <div class="bg-gradient-to-r from-blue-50 to-indigo-50 dark:from-blue-900/20 dark:to-indigo-900/20 px-6 py-4 border-b border-gray-200 dark:border-gray-700">
@@ -1689,6 +1687,14 @@ const Settings: Component = () => {
                   
                   {/* Content */}
                   <div class="p-6">
+                    {/* Show explanation when auth is disabled */}
+                    <Show when={!securityStatus()?.hasAuthentication}>
+                      <div class="mb-4 p-3 bg-blue-50 dark:bg-blue-900/20 border border-blue-200 dark:border-blue-800 rounded-lg">
+                        <p class="text-xs text-blue-800 dark:text-blue-200">
+                          <strong>API Access Control:</strong> Even though authentication is disabled, you can still use API tokens to protect API access for automation and integrations.
+                        </p>
+                      </div>
+                    </Show>
                     <GenerateAPIToken currentTokenHint={securityStatus()?.apiTokenHint} />
                   </div>
                 </div>
diff --git a/internal/api/router.go b/internal/api/router.go
index ab63931bc..c559403d4 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -214,10 +214,19 @@ func (r *Router) setupRoutes() {
 			
 			// Check if auth is globally disabled
 			if r.config.DisableAuth {
+				// Even with auth disabled, report API token status for API access
+				var apiTokenHint string
+				if r.config.APIToken != "" && len(r.config.APIToken) >= 8 {
+					apiTokenHint = r.config.APIToken[:4] + "..." + r.config.APIToken[len(r.config.APIToken)-4:]
+				}
+				
 				json.NewEncoder(w).Encode(map[string]interface{}{
 					"configured": false,
 					"disabled": true,
 					"message": "Authentication is disabled via DISABLE_AUTH environment variable",
+					"apiTokenConfigured": r.config.APIToken != "",
+					"apiTokenHint": apiTokenHint,
+					"hasAuthentication": false,
 				})
 				return
 			}
@@ -674,9 +683,30 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	needsAuth := true
 	
 	// Check if auth is globally disabled
+	// BUT still check for API tokens if provided (for API access when auth is disabled)
 	if r.config.DisableAuth {
-		needsAuth = false
-		w.Header().Set("X-Auth-Disabled", "true")
+		// Check if an API token was provided
+		providedToken := req.Header.Get("X-API-Token")
+		if providedToken == "" {
+			providedToken = req.URL.Query().Get("token")
+		}
+		
+		// If a valid API token is provided, allow access even with DisableAuth
+		if providedToken != "" && r.config.APIToken != "" {
+			if auth.CompareAPIToken(providedToken, r.config.APIToken) {
+				// Valid API token provided, allow access
+				needsAuth = false
+				w.Header().Set("X-Auth-Method", "api-token")
+			} else {
+				// Invalid API token - reject even with DisableAuth
+				http.Error(w, "Invalid API token", http.StatusUnauthorized)
+				return
+			}
+		} else {
+			// No API token provided with DisableAuth - allow open access
+			needsAuth = false
+			w.Header().Set("X-Auth-Disabled", "true")
+		}
 	}
 	
 	// Recovery mechanism: Check if recovery mode is enabled
diff --git a/internal/api/security_setup_fix.go b/internal/api/security_setup_fix.go
index 88e51a273..7cdf5dd7b 100644
--- a/internal/api/security_setup_fix.go
+++ b/internal/api/security_setup_fix.go
@@ -340,9 +340,10 @@ ENABLE_AUDIT_LOG=true
 
 // HandleRegenerateAPIToken generates a new API token and updates the .env file
 func (r *Router) HandleRegenerateAPIToken(w http.ResponseWriter, rq *http.Request) {
-	// Only require authentication if auth is already configured
+	// Only require authentication if auth is already configured AND not disabled
 	// This allows users to set up API-only access without password auth
-	if (r.config.AuthUser != "" || r.config.AuthPass != "") && !CheckAuth(r.config, w, rq) {
+	// When auth is disabled, allow API token generation for API-only access
+	if !r.config.DisableAuth && (r.config.AuthUser != "" || r.config.AuthPass != "") && !CheckAuth(r.config, w, rq) {
 		return
 	}