From df933f5dc47f9d779a80e8f63d317379c0bc2650 Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Sun, 23 Feb 2020 15:30:40 -0500
Subject: [PATCH] fix: reject API tokens if API is disabled

---
 server/core/auth.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/core/auth.js b/server/core/auth.js
index 6f0cde1c..850992c7 100644
--- a/server/core/auth.js
+++ b/server/core/auth.js
@@ -140,7 +140,9 @@ module.exports = {
 
       // Process API tokens
       if (_.has(user, 'api')) {
-        if (_.includes(WIKI.auth.validApiKeys, user.api)) {
+        if (!WIKI.config.api.isEnabled) {
+          return next(new Error('API is disabled. You must enable it from the Administration Area first.'))
+        } else if (_.includes(WIKI.auth.validApiKeys, user.api)) {
           req.user = {
             id: 1,
             email: 'api@localhost',