Add option to disable easy to abuse API endpoints (#5630)

* Add option to disable easy to abuse API endpoints

The API endpoints that will be disabled when this option are:
 - /api/v1/videos
 - /api/v1/clips
 - /api/v1/transcripts

There is still API endponts that need some sort of validation or
connection/proxying to Invidious companion like
`/api/v1/captions` and `/api/v1/storyboards` since they also do a video
request to Invidious companion. I'm not sure if the `/next` API endpoint
could be used to gather that type of information, if so, that would be
better.

Closes #5599

* Rename configuration variable, add additional comment for the option
This commit is contained in:
Fijxu
2026-06-30 05:55:47 -04:00
committed by GitHub
parent d61dd7205c
commit 9c62c8b660
4 changed files with 39 additions and 13 deletions

View File

@@ -217,6 +217,7 @@ end
Kemal.config.powered_by_header = false
add_handler FilteredCompressHandler.new
add_handler APIHandler.new
add_handler DisableAbusableAPIHandler.new
add_handler AuthHandler.new
add_handler DenyFrame.new

View File

@@ -183,6 +183,9 @@ class Config
# Playlist length limit
property playlist_length_limit : Int32 = 500
# Disable easy to abuse API endpoints
property disable_abusable_api : Bool = false
def disabled?(option)
case disabled = CONFIG.disable_proxy
when Bool

View File

@@ -133,6 +133,26 @@ class APIHandler < Kemal::Handler
end
end
class DisableAbusableAPIHandler < Kemal::Handler
{% for method in %w(GET HEAD) %}
# This endpoints make a video request to Invidious companion.
{% for endpoint in %w(videos clips transcripts) %}
only ["/api/v1/{{ endpoint.id }}/:id"], {{ method }}
{% end %}
{% end %}
def call(env)
return call_next env unless only_match?(env) && CONFIG.disable_abusable_api
env.response.content_type = "application/json"
env.response.status_code = 403
message = {"error" => "This API endpoint has been disabled by the administrator."}.to_json
env.response.print message
env.response.close
return
end
end
class DenyFrame < Kemal::Handler
exclude ["/embed/*"]