feat(api): explicit enable toggle for WiFi password endpoint

Previously the API was implicitly active whenever a token existed. Now there's an explicit unifi.api.enabled setting that gates it: * WifiApiController returns 503 ("API disabled") when the setting is off, even if a valid token is presented. Stops the endpoint from silently working if a token is lying around. * Settings page exposes the toggle under the Rotate-WiFi-Passwords block. With it off, the token / URL / curl example are hidden. * The form submit handles the new api_enabled boolean. v1.6.3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 19:44:57 -04:00
parent 4b29f55518
commit 9a37eda302
3 changed files with 8 additions and 1 deletions
--- a/src/Http/Controllers/UnifiSettingsController.php
+++ b/src/Http/Controllers/UnifiSettingsController.php
@@ -33,6 +33,7 @@ class UnifiSettingsController extends Controller
            'rotationLastRotatedAt'   => Setting::get('unifi.password_rotation.last_rotated_at', null),
            'rotationLastPassword'    => Setting::get('unifi.password_rotation.last_password', null),
            'ppskSchedulingEnabled'   => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
+            'apiEnabled'              => (bool) Setting::get('unifi.api.enabled', false),
            'apiToken'                => Setting::get('unifi.api_token', null),
        ]);
    }
@@ -71,6 +72,7 @@ class UnifiSettingsController extends Controller
            'rotation_minute'       => 'nullable|integer|min:0|max:59',
            'rotation_wordlist'       => 'nullable|string|max:20000',
            'ppsk_scheduling_enabled' => 'boolean',
+            'api_enabled'             => 'boolean',
        ]);

        Setting::set('unifi.controller_url', rtrim($request->controller_url, '/'));
@@ -97,6 +99,7 @@ class UnifiSettingsController extends Controller
        Setting::set('unifi.password_rotation.minute',      $request->input('rotation_minute', 0));
        Setting::set('unifi.password_rotation.wordlist',    $request->input('rotation_wordlist', ''));
        Setting::set('unifi.ppsk_scheduling.enabled',        $request->boolean('ppsk_scheduling_enabled') ? '1' : '');
+        Setting::set('unifi.api.enabled',                    $request->boolean('api_enabled')             ? '1' : '');

        \Illuminate\Support\Facades\Cache::forget('unifi:api_prefix:' . md5(rtrim($request->controller_url, '/')));

--- a/src/Http/Controllers/WifiApiController.php
+++ b/src/Http/Controllers/WifiApiController.php
@@ -15,6 +15,10 @@ class WifiApiController extends Controller
 {
    public function currentPassword(Request $request)
    {
+        if (! Setting::get('unifi.api.enabled')) {
+            return response()->json(['error' => 'API disabled'], 503);
+        }
+
        $expected = Setting::get('unifi.api_token');
        if (! $expected) {
            return response()->json(['error' => 'API token not configured'], 503);