[NF+] Secure API endpoints also, with transition period fallback to current api paths

barryo · barryo · commit f6209e396318 · 2026-02-15T10:45:44.000Z
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -146,24 +146,25 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $routeMiddleware = [
+        '2fa'                   => Middleware\Google2FA::class,
+        'apiauth'               => Middleware\ApiAuthenticate::class,
+        'apideprecated'         => Middleware\ApiDeprecated::class,
+        'apimaybeauth'          => Middleware\ApiMaybeAuthenticate::class,
+        'assert.privilege'      => Middleware\AssertUserPrivilege::class,
         'auth'                  => Middleware\Authenticate::class,
         'auth.basic'            => AuthenticateWithBasicAuth::class,
         'auth.session'          => \Illuminate\Session\Middleware\AuthenticateSession::class,
         //'bindings'              => SubstituteBindings::class,
-        'can'                   => Authorize::class,
         'cache.headers'         => SetCacheHeaders::class,
-        'guest'                 => Middleware\RedirectIfAuthenticated::class,
-        'signed'                => Middleware\ValidateSignature::class,
-        'throttle'              => ThrottleRequests::class,
-        'verified'              => EnsureEmailIsVerified::class,
-        'apiauth'               => Middleware\ApiAuthenticate::class,
-        'apimaybeauth'          => Middleware\ApiMaybeAuthenticate::class,
-        'assert.privilege'      => Middleware\AssertUserPrivilege::class,
+        'can'                   => Authorize::class,
         'controller-enabled'    => Middleware\ControllerEnabled::class,
         'eloquent2Frontend'     => Middleware\Eloquent2Frontend::class,
         'grapher'               => Middleware\Services\Grapher::class,
+        'guest'                 => Middleware\RedirectIfAuthenticated::class,
         'rs-prefixes'           => Middleware\RsPrefixes::class,
-        '2fa'                   => Middleware\Google2FA::class,
+        'signed'                => Middleware\ValidateSignature::class,
+        'throttle'              => ThrottleRequests::class,
+        'verified'              => EnsureEmailIsVerified::class,
     ];
 
     /**
diff --git a/app/Http/Middleware/ApiDeprecated.php b/app/Http/Middleware/ApiDeprecated.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace IXP\Http\Middleware;
+
+/*
+ * Copyright (C) 2009 - 2026 Internet Neutral Exchange Association Company Limited By Guarantee.
+ * All Rights Reserved.
+ *
+ * This file is part of IXP Manager.
+ *
+ * IXP Manager is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, version v2.0 of the License.
+ *
+ * IXP Manager is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License v2.0
+ * along with IXP Manager.  If not, see:
+ *
+ * http://www.gnu.org/licenses/gpl-2.0.html
+ */
+
+use Closure;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+
+
+/**
+ * Middleware: Log uses of deprecated APIs
+ *
+ * @author     Barry O'Donovan <barry@opensolutions.ie>
+ * @category   IXP
+ * @package    IXP\Http\Middleware
+ * @copyright  Copyright (C) 2009 - 2026 Internet Neutral Exchange Association Company Limited By Guarantee
+ * @license    http://www.gnu.org/licenses/gpl-2.0.html GNU GPL V2.0
+ */
+class ApiDeprecated
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param   Request     $r
+     * @param   Closure     $next
+     * @return mixed
+     */
+    public function handle( Request $r, Closure $next )
+    {
+
+        Log::notice( 'UNPREPENDED/DEPRECATED usage of API request ' . $r->path() . ' from ' . ixp_get_client_ip() );
+
+        return $next( $r );
+    }
+}
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
@@ -207,13 +207,28 @@ protected function mapApiAuthSuperuserRoutes(): void
              'middleware'   => [
                  'web',
                  'api/v4',
-                 'assert.privilege:' . User::AUTH_SUPERUSER
+                 'assert.privilege:' . User::AUTH_SUPERUSER,
              ],
              'namespace'    => $this->namespace . '\\Api\\V4',
-             'prefix'       => 'api/v4',
+             'prefix'       => 'admin/api/v4',
         ], function () {
             require base_path('routes/apiv4-auth-superuser.php');
         });
+        
+        if( config( 'ixp_api.unsecured_api_access' ) ) {
+            Route::group( [
+                'middleware' => [
+                    'apideprecated',
+                    'web',
+                    'api/v4',
+                    'assert.privilege:' . User::AUTH_SUPERUSER,
+                ],
+                'namespace'  => $this->namespace . '\\Api\\V4',
+                'prefix'     => 'api/v4',
+            ], function() {
+                require base_path( 'routes/apiv4-auth-superuser.php' );
+            } );
+        }
     }
 
 
@@ -232,10 +247,24 @@ protected function mapApiExternalAuthSuperuserRoutes(): void
                 'assert.privilege:' . User::AUTH_SUPERUSER
             ],
             'namespace'     => $this->namespace . '\\Api\\V4',
-            'prefix'        => 'api/v4',
+            'prefix'        => 'admin/api/v4',
         ], function () {
             require base_path('routes/apiv4-ext-auth-superuser.php');
         });
+        
+        if( config( 'ixp_api.unsecured_api_access' ) ) {
+            Route::group( [
+                'middleware' => [
+                    'apideprecated',
+                    'api/v4',
+                    'assert.privilege:' . User::AUTH_SUPERUSER,
+                ],
+                'namespace'  => $this->namespace . '\\Api\\V4',
+                'prefix'     => 'api/v4',
+            ], function() {
+                require base_path( 'routes/apiv4-ext-auth-superuser.php' );
+            } );
+        }
     }
 
 
diff --git a/config/ixp_api.php b/config/ixp_api.php
@@ -151,4 +151,18 @@
     |
     */
     'atlas_measurement_key' => env( 'ATLAS_MEASUREMENT_KEY', '' ),
+    
+    
+    /*
+    |--------------------------------------------------------------------------
+    | Unsecured API paths
+    |--------------------------------------------------------------------------
+    |
+    | IXP Manager v7.1.0 introduced an admin/ prepend on APIs for securing them.
+    |
+    | See: https://docs.ixpmanager.org/install/security/
+    */
+
+    'unsecured_api_access' => env( 'UNSECURED_API_ACCESS', true ),
+
 ];
diff --git a/config/ixp_fe_settings.php b/config/ixp_fe_settings.php
@@ -538,7 +538,17 @@
                     'help'       => 'PeeringDB OAuth - post authentication redirect target on IXP Manager. Assuming your '
                                         . 'APP_URL is correct, then: <code>' . config('app.url') . '/auth/login/peeringdb/callback</code>'
                 ],
-
+                
+                'unsecured_api_access'                => [
+                    'config_key' => 'ixp_api.unsecured_api_access',
+                    'dotenv_key' => 'UNSECURED_API_ACCESS',
+                    'type'       => 'radio',
+                    'rules'      => 'boolean',
+                    'name'       => 'Unsecured API Access Enabled',
+                    'docs_url'   => 'https://docs.ixpmanager.org/install/security/',
+                    'help'       => 'IXP Manager v7.1.0 introduced an admin/ prepend on APIs for securing them. For v7.1.0 only, unsecured access will be enabled by default to allow administrators migrate their API clients.',
+                ],
+            
             ],
 
         ],
