From: Karel Bilek <kb@karelbilek.com>
Date: Tue, 25 Nov 2025 09:10:53 +0000 (+0100)
Subject: rec: make webserver work without an API key
X-Git-Tag: rec-5.4.0-alpha1~42^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23eadf9ffd11d86e9a925fd4fa278b5f64341ebf;p=thirdparty%2Fpdns.git

rec: make webserver work without an API key

Currently, recursor web server doesn't work if API key is not set, even
when the API key is not actually used in the webserver auth.

Signed-off-by: Karel Bilek <kb@karelbilek.com>
---

diff --git a/pdns/recursordist/rec-rust-lib/rust/src/web.rs b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
index dd3afd45e0..84b13eb5be 100644
--- a/pdns/recursordist/rec-rust-lib/rust/src/web.rs
+++ b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
@@ -173,33 +173,25 @@ fn api_wrapper(
         header::ACCESS_CONTROL_ALLOW_ORIGIN,
         header::HeaderValue::from_static("*"),
     );
-    if ctx.api_ch.is_null() {
-        rustmisc::log(
-            logger,
-            rustweb::Priority::Error,
-            "Authentication failed, API Key missing in config",
-            &vec![rustmisc::KeyValue {
-                key: "urlpath".to_string(),
-                value: request.uri.to_owned(),
-            }],
-        );
-        unauthorized(response, headers, "X-API-Key");
-        return;
-    }
 
     // XXX AUDIT!
-    let mut auth_ok = false;
 
-    if let Some(api) = reqheaders.get("x-api-key") {
-        cxx::let_cxx_string!(s = &api.as_bytes());
-        auth_ok = ctx.api_ch.as_ref().unwrap().matches(&s);
+    let mut auth_ok = false;
+    if !ctx.api_ch.is_null() {
+        if let Some(api) = reqheaders.get("x-api-key") {
+            cxx::let_cxx_string!(s = &api.as_bytes());
+            auth_ok = ctx.api_ch.as_ref().unwrap().matches(&s);
+        }
     }
+
     if !auth_ok {
-        for kv in &request.vars {
-            cxx::let_cxx_string!(s = &kv.value);
-            if kv.key == "api-key" && ctx.api_ch.as_ref().unwrap().matches(&s) {
-                auth_ok = true;
-                break;
+        if !ctx.api_ch.is_null() {
+            for kv in &request.vars {
+                cxx::let_cxx_string!(s = &kv.value);
+                if kv.key == "api-key" && ctx.api_ch.as_ref().unwrap().matches(&s) {
+                    auth_ok = true;
+                    break;
+                }
             }
         }
     }
@@ -220,6 +212,20 @@ fn api_wrapper(
         }
     }
     if !auth_ok {
+        if ctx.api_ch.is_null() {
+            rustmisc::log(
+                logger,
+                rustweb::Priority::Error,
+                "Authentication failed, API Key missing in config",
+                &vec![rustmisc::KeyValue {
+                    key: "urlpath".to_string(),
+                    value: request.uri.to_owned(),
+                }],
+            );
+            unauthorized(response, headers, "X-API-Key");
+            return;
+        }
+
         rustmisc::log(
             logger,
             rustweb::Priority::Error,