jwed
9a37eda302
Previously the API was implicitly active whenever a token existed.
Now there's an explicit unifi.api.enabled setting that gates it:
* WifiApiController returns 503 ("API disabled") when the setting is
off, even if a valid token is presented. Stops the endpoint from
silently working if a token is lying around.
* Settings page exposes the toggle under the Rotate-WiFi-Passwords
block. With it off, the token / URL / curl example are hidden.
* The form submit handles the new api_enabled boolean.
v1.6.3.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
45 lines
1.4 KiB
PHP
45 lines
1.4 KiB
PHP
<?php
|
|
|
|
namespace Dashboard\Unifi\Http\Controllers;
|
|
|
|
use App\Models\Setting;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Routing\Controller;
|
|
|
|
/**
|
|
* Token-protected JSON endpoints for external integrations (signage,
|
|
* kiosks, room displays, etc.) that need the current rotating WiFi
|
|
* password without going through the dashboard UI.
|
|
*/
|
|
class WifiApiController extends Controller
|
|
{
|
|
public function currentPassword(Request $request)
|
|
{
|
|
if (! Setting::get('unifi.api.enabled')) {
|
|
return response()->json(['error' => 'API disabled'], 503);
|
|
}
|
|
|
|
$expected = Setting::get('unifi.api_token');
|
|
if (! $expected) {
|
|
return response()->json(['error' => 'API token not configured'], 503);
|
|
}
|
|
|
|
$provided = $request->bearerToken() ?: $request->query('token');
|
|
if (! $provided || ! hash_equals($expected, $provided)) {
|
|
return response()->json(['error' => 'Unauthorized'], 401);
|
|
}
|
|
|
|
$password = Setting::get('unifi.password_rotation.last_password');
|
|
if (! $password) {
|
|
return response()->json([
|
|
'error' => 'No rotated password recorded yet — wait for the next scheduled rotation or run unifi:rotate-passwords --force.',
|
|
], 404);
|
|
}
|
|
|
|
return response()->json([
|
|
'password' => $password,
|
|
'rotated_at' => Setting::get('unifi.password_rotation.last_rotated_at'),
|
|
]);
|
|
}
|
|
}
|