From f70952f66b4cbfcd06ecd5f5fb7adf550722c406 Mon Sep 17 00:00:00 2001
From: joeuhren <46763106+joeuhren@users.noreply.github.com>
Date: Thu, 31 Dec 2020 15:45:31 -0700
Subject: [PATCH] Disable api page + public apis when settings.display.api =
 false

---
 app.js          | 22 +++++++++++-----------
 lib/nodeapi.js  |  2 +-
 routes/index.js |  9 ++++++++-
 3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/app.js b/app.js
index 516dc61..a1c3d30 100644
--- a/app.js
+++ b/app.js
@@ -58,7 +58,7 @@ app.use('/', routes);
 
 app.use('/ext/getmoneysupply', function(req, res) {
   // check if the getmoneysupply api is enabled
-  if (settings.public_api.ext['getmoneysupply']) {
+  if (settings.display.api == true && settings.public_api.ext['getmoneysupply']) {
     lib.get_supply(function(supply) {
       res.setHeader('content-type', 'text/plain');
       res.end((supply ? supply.toString() : '0'));
@@ -69,7 +69,7 @@ app.use('/ext/getmoneysupply', function(req, res) {
 
 app.use('/ext/getaddress/:hash', function(req, res) {
   // check if the getaddress api is enabled
-  if (settings.public_api.ext['getaddress']) {
+  if (settings.display.api == true && settings.public_api.ext['getaddress']) {
     db.get_address(req.params.hash, false, function(address) {
       db.get_address_txs_ajax(req.params.hash, 0, settings.txcount, function(txs, count) {
         if (address) {
@@ -113,7 +113,7 @@ app.use('/ext/getaddress/:hash', function(req, res) {
 
 app.use('/ext/gettx/:txid', function(req, res) {
   // check if the gettx api is enabled
-  if (settings.public_api.ext['gettx']) {
+  if (settings.display.api == true && settings.public_api.ext['gettx']) {
     var txid = req.params.txid;
     db.get_tx(txid, function(tx) {
       if (tx) {
@@ -167,7 +167,7 @@ app.use('/ext/gettx/:txid', function(req, res) {
 
 app.use('/ext/getbalance/:hash', function(req, res) {
   // check if the getbalance api is enabled
-  if (settings.public_api.ext['getbalance']) {
+  if (settings.display.api == true && settings.public_api.ext['getbalance']) {
     db.get_address(req.params.hash, false, function(address) {
       if (address) {
         res.setHeader('content-type', 'text/plain');
@@ -181,7 +181,7 @@ app.use('/ext/getbalance/:hash', function(req, res) {
 
 app.use('/ext/getdistribution', function(req, res) {
   // check if the getdistribution api is enabled
-  if (settings.public_api.ext['getdistribution']) {
+  if (settings.display.api == true && settings.public_api.ext['getdistribution']) {
     db.get_richlist(settings.coin, function(richlist) {
       db.get_stats(settings.coin, function(stats) {
         db.get_distribution(richlist, stats, function(dist) {
@@ -195,7 +195,7 @@ app.use('/ext/getdistribution', function(req, res) {
 
 app.use('/ext/getcurrentprice', function(req, res) {
   // check if the getcurrentprice api is enabled
-  if (settings.public_api.ext['getcurrentprice']) {
+  if (settings.display.api == true && settings.public_api.ext['getcurrentprice']) {
     db.get_stats(settings.coin, function (stats) {
       eval('var p_ext = { "last_price_'+settings.markets.exchange.toLowerCase()+'": stats.last_price, "last_price_usd": stats.last_usd_price, }');
         res.send(p_ext);
@@ -206,7 +206,7 @@ app.use('/ext/getcurrentprice', function(req, res) {
 
 app.use('/ext/getbasicstats', function(req, res) {
   // check if the getbasicstats api is enabled
-  if (settings.public_api.ext['getbasicstats']) {
+  if (settings.display.api == true && settings.public_api.ext['getbasicstats']) {
     // lookup stats
     db.get_stats(settings.coin, function (stats) {
       // lookup coin supply
@@ -234,7 +234,7 @@ app.use('/ext/getbasicstats', function(req, res) {
 
 app.use('/ext/getlasttxs/:min', function(req, res) {
   // check if the getlasttxs api is enabled or else check the headers to see if it matches an internal ajax request from the explorer itself (TODO: come up with a more secure method of whitelisting ajax calls from the explorer)
-  if (settings.public_api.ext['getlasttxs'] || (req.headers['x-requested-with'] != null && req.headers['x-requested-with'].toLowerCase() == 'xmlhttprequest' && req.headers.referer != null && req.headers.accept.indexOf('text/javascript') > -1 && req.headers.accept.indexOf('application/json') > -1)) {
+  if ((settings.display.api == true && settings.public_api.ext['getlasttxs']) || (req.headers['x-requested-with'] != null && req.headers['x-requested-with'].toLowerCase() == 'xmlhttprequest' && req.headers.referer != null && req.headers.accept.indexOf('text/javascript') > -1 && req.headers.accept.indexOf('application/json') > -1)) {
     var min = req.params.min, start, length;
     // split url suffix by forward slash and remove blank entries
     var split = req.url.split('/').filter(function(v) { return v; });
@@ -360,7 +360,7 @@ app.use('/ext/connections', function(req,res){
 // get the list of masternodes from local collection
 app.use('/ext/getmasternodelist', function(req, res) {
   // check if the getmasternodelist api is enabled or else check the headers to see if it matches an internal ajax request from the explorer itself (TODO: come up with a more secure method of whitelisting ajax calls from the explorer)
-  if (settings.public_api.ext['getmasternodelist'] || (req.headers['x-requested-with'] != null && req.headers['x-requested-with'].toLowerCase() == 'xmlhttprequest' && req.headers.referer != null && req.headers.accept.indexOf('text/javascript') > -1 && req.headers.accept.indexOf('application/json') > -1)) {
+  if ((settings.display.api == true && settings.public_api.ext['getmasternodelist']) || (req.headers['x-requested-with'] != null && req.headers['x-requested-with'].toLowerCase() == 'xmlhttprequest' && req.headers.referer != null && req.headers.accept.indexOf('text/javascript') > -1 && req.headers.accept.indexOf('application/json') > -1)) {
     // get the masternode list from local collection
     db.get_masternodes(function(masternodes) {
       // loop through masternode list and remove the mongo _id and __v keys
@@ -378,7 +378,7 @@ app.use('/ext/getmasternodelist', function(req, res) {
 // returns a list of masternode reward txs for a single masternode address from a specific block height
 app.use('/ext/getmasternoderewards/:hash/:since', function(req, res) {
   // check if the getmasternoderewards api is enabled
-  if (settings.public_api.ext['getmasternoderewards']) {
+  if (settings.display.api == true && settings.public_api.ext['getmasternoderewards']) {
     db.get_masternode_rewards(req.params.hash, req.params.since, function(rewards) {
       if (rewards != null) {
         // loop through the tx list to fix vout values and remove unnecessary data such as the always empty vin array and the mongo _id and __v keys
@@ -403,7 +403,7 @@ app.use('/ext/getmasternoderewards/:hash/:since', function(req, res) {
 // returns the total masternode rewards received for a single masternode address from a specific block height
 app.use('/ext/getmasternoderewardstotal/:hash/:since', function(req, res) {
   // check if the getmasternoderewardstotal api is enabled
-  if (settings.public_api.ext['getmasternoderewardstotal']) {
+  if (settings.display.api == true && settings.public_api.ext['getmasternoderewardstotal']) {
     db.get_masternode_rewards_totals(req.params.hash, req.params.since, function(total_rewards) {
       if (total_rewards != null) {
         // return the total of masternode rewards
diff --git a/lib/nodeapi.js b/lib/nodeapi.js
index 4cdf884..c34591b 100644
--- a/lib/nodeapi.js
+++ b/lib/nodeapi.js
@@ -85,7 +85,7 @@ module.exports = function() {
       var method_enabled = settings.public_api.rpc[method];
 
       // only show disabled msg for outside calls. internal calls should always go through
-      if (method_enabled == null || !method_enabled && req.headers.host.indexOf('127.0.0.1') == -1)
+      if ((!settings.display.api || method_enabled == null || !method_enabled) && req.headers.host.indexOf('127.0.0.1') == -1)
         res.end('This method is disabled');
       else {
         if (accesslist.type == 'all')
diff --git a/routes/index.js b/routes/index.js
index 03bd323..9d1c21e 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -196,7 +196,14 @@ router.get('/', function(req, res) {
 });
 
 router.get('/info', function(req, res) {
-  res.render('info', { active: 'info', address: settings.address, hashes: settings.api, showSync: db.check_show_sync_message() });
+  // ensure api page is enabled
+  if (settings.display.api == true) {
+    // load the api page
+    res.render('info', { active: 'info', address: settings.address, hashes: settings.api, showSync: db.check_show_sync_message() });
+  } else {
+    // api page is not enabled so default to the index page
+    route_get_index(res, null);
+  }
 });
 
 router.get('/markets/:market', function(req, res) {