mirror of
https://github.com/yusing/godoxy.git
synced 2026-04-23 00:38:33 +02:00
feat(config): opt-in flag for non-loopback local API bind
Validate GODOXY_LOCAL_API_ADDR before starting the unauthenticated local API. Loopback listeners still succeed by default; addresses that bind all interfaces, unspecified IPs, LAN hosts, or non-loopback names need GODOXY_LOCAL_API_ALLOW_NON_LOOPBACK=true. When that opt-in is set and the host is not loopback, log a warning so non-local exposure is obvious. Wire common.LocalAPIAllowNonLoopback from LOCAL_API_ALLOW_NON_LOOPBACK and document it (with a risk note) in .env.example. Add TestValidateLocalAPIAddr for loopback, wildcard, LAN, and hostname cases with the allow flag on and off.
This commit is contained in:
@@ -36,6 +36,7 @@ var (
|
||||
LocalAPIHTTPHost,
|
||||
LocalAPIHTTPPort,
|
||||
LocalAPIHTTPURL = env.GetAddrEnv("LOCAL_API_ADDR", "", "http")
|
||||
LocalAPIAllowNonLoopback = env.GetEnvBool("LOCAL_API_ALLOW_NON_LOOPBACK", false)
|
||||
|
||||
APIJWTSecure = env.GetEnvBool("API_JWT_SECURE", true)
|
||||
APIJWTSecret = decodeJWTKey(env.GetEnvString("API_JWT_SECRET", ""))
|
||||
|
||||
Reference in New Issue
Block a user