From 9a37eda302e67a5cc2f9da9becca2fb0f87383dd Mon Sep 17 00:00:00 2001 From: jwed Date: Sun, 24 May 2026 19:44:57 -0400 Subject: [PATCH] feat(api): explicit enable toggle for WiFi password endpoint Previously the API was implicitly active whenever a token existed. Now there's an explicit unifi.api.enabled setting that gates it: * WifiApiController returns 503 ("API disabled") when the setting is off, even if a valid token is presented. Stops the endpoint from silently working if a token is lying around. * Settings page exposes the toggle under the Rotate-WiFi-Passwords block. With it off, the token / URL / curl example are hidden. * The form submit handles the new api_enabled boolean. v1.6.3. Co-Authored-By: Claude Opus 4.7 (1M context) --- composer.json | 2 +- src/Http/Controllers/UnifiSettingsController.php | 3 +++ src/Http/Controllers/WifiApiController.php | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 3ac3600..6df6405 100644 --- a/composer.json +++ b/composer.json @@ -1,7 +1,7 @@ { "name": "dashboard/unifi", "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform", - "version": "1.6.2", + "version": "1.6.3", "type": "library", "license": "MIT", "autoload": { diff --git a/src/Http/Controllers/UnifiSettingsController.php b/src/Http/Controllers/UnifiSettingsController.php index a061cb5..c63c039 100644 --- a/src/Http/Controllers/UnifiSettingsController.php +++ b/src/Http/Controllers/UnifiSettingsController.php @@ -33,6 +33,7 @@ class UnifiSettingsController extends Controller 'rotationLastRotatedAt' => Setting::get('unifi.password_rotation.last_rotated_at', null), 'rotationLastPassword' => Setting::get('unifi.password_rotation.last_password', null), 'ppskSchedulingEnabled' => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false), + 'apiEnabled' => (bool) Setting::get('unifi.api.enabled', false), 'apiToken' => Setting::get('unifi.api_token', null), ]); } @@ -71,6 +72,7 @@ class UnifiSettingsController extends Controller 'rotation_minute' => 'nullable|integer|min:0|max:59', 'rotation_wordlist' => 'nullable|string|max:20000', 'ppsk_scheduling_enabled' => 'boolean', + 'api_enabled' => 'boolean', ]); Setting::set('unifi.controller_url', rtrim($request->controller_url, '/')); @@ -97,6 +99,7 @@ class UnifiSettingsController extends Controller Setting::set('unifi.password_rotation.minute', $request->input('rotation_minute', 0)); Setting::set('unifi.password_rotation.wordlist', $request->input('rotation_wordlist', '')); Setting::set('unifi.ppsk_scheduling.enabled', $request->boolean('ppsk_scheduling_enabled') ? '1' : ''); + Setting::set('unifi.api.enabled', $request->boolean('api_enabled') ? '1' : ''); \Illuminate\Support\Facades\Cache::forget('unifi:api_prefix:' . md5(rtrim($request->controller_url, '/'))); diff --git a/src/Http/Controllers/WifiApiController.php b/src/Http/Controllers/WifiApiController.php index 30d35e3..da58e31 100644 --- a/src/Http/Controllers/WifiApiController.php +++ b/src/Http/Controllers/WifiApiController.php @@ -15,6 +15,10 @@ class WifiApiController extends Controller { public function currentPassword(Request $request) { + if (! Setting::get('unifi.api.enabled')) { + return response()->json(['error' => 'API disabled'], 503); + } + $expected = Setting::get('unifi.api_token'); if (! $expected) { return response()->json(['error' => 'API token not configured'], 503);