From ac734b8335469dfc8c5b1cc172f1d837c952ef34 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 25 Nov 2020 15:31:41 -0500
Subject: [PATCH] fix: #8912

---
 public/language/en-GB/admin/settings/api.json |  4 +++
 public/src/admin/settings.js                  |  1 +
 src/routes/write/index.js                     | 13 ++++++--
 src/views/admin/settings/api.tpl              | 33 ++++++++++++++-----
 4 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/public/language/en-GB/admin/settings/api.json b/public/language/en-GB/admin/settings/api.json
index ba7d964a04..50892925f3 100644
--- a/public/language/en-GB/admin/settings/api.json
+++ b/public/language/en-GB/admin/settings/api.json
@@ -1,9 +1,13 @@
 {
 	"tokens": "Tokens",
+	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
 	"docs": "Click here to access the full API specification",
 
+	"require-https": "Require API usage via HTTPS only",
+	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
+
 	"uid": "User ID",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",
diff --git a/public/src/admin/settings.js b/public/src/admin/settings.js
index 6732a7bc4f..8716bb0183 100644
--- a/public/src/admin/settings.js
+++ b/public/src/admin/settings.js
@@ -65,6 +65,7 @@ define('admin/settings', ['uploader', 'mousetrap'], function (uploader, mousetra
 
 		saveBtn.off('click').on('click', function (e) {
 			e.preventDefault();
+			console.log(fields);
 
 			saveFields(fields, function onFieldsSaved(err) {
 				if (err) {
diff --git a/src/routes/write/index.js b/src/routes/write/index.js
index d20f1470ac..539668d508 100644
--- a/src/routes/write/index.js
+++ b/src/routes/write/index.js
@@ -1,7 +1,7 @@
 'use strict';
 
-const nconf = require('nconf');
 const winston = require('winston');
+const meta = require('../../meta');
 const plugins = require('../../plugins');
 const middleware = require('../../middleware');
 const helpers = require('../../controllers/helpers');
@@ -10,10 +10,19 @@ const Write = module.exports;
 
 Write.reload = async (params) => {
 	const router = params.router;
+	let apiSettings = await meta.settings.get('core.api');
+	plugins.registerHook('core', {
+		hook: 'action:settings.set',
+		method: async (data) => {
+			if (data.plugin === 'core.api') {
+				apiSettings = await meta.settings.get('core.api');
+			}
+		},
+	});
 
 	router.use('/api/v3', function (req, res, next) {
 		// Require https if configured so
-		if (nconf.get('secure') && req.protocol !== 'https') {
+		if (apiSettings.requireHttps === 'on') {
 			res.set('Upgrade', 'TLS/1.0, HTTP/1.1');
 			return helpers.formatApiResponse(426, res);
 		}
diff --git a/src/views/admin/settings/api.tpl b/src/views/admin/settings/api.tpl
index 783d53b6bd..0f40fe9f2d 100644
--- a/src/views/admin/settings/api.tpl
+++ b/src/views/admin/settings/api.tpl
@@ -1,18 +1,33 @@
 <!-- IMPORT admin/partials/settings/header.tpl -->
 
 <form role="form" class="core-api-settings">
+	<p class="lead">[[admin/settings/api:lead-text]]</p>
+	<p>[[admin/settings/api:intro]]</p>
+	<p>
+		<a href="https://docs.nodebb.org/api">
+			<i class="fa fa-external-link"></i>
+			[[admin/settings/api:docs]]
+		</a>
+	</p>
+
+	<hr />
+
 	<div class="row">
-		<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/api:tokens]]</div>
+		<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/api:settings]]</div>
 		<div class="col-sm-10 col-xs-12">
-			<p class="lead">[[admin/settings/api:lead-text]]</p>
-			<p>[[admin/settings/api:intro]]</p>
-			<p>
-				<a href="https://docs.nodebb.org/api">
-					<i class="fa fa-external-link"></i>
-					[[admin/settings/api:docs]]
-				</a>
-			</p>
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input id="requireHttps" class="mdl-switch__input" type="checkbox" name="requireHttps" />
+					<span class="mdl-switch__label">[[admin/settings/api:require-https]]</span>
+				</label>
+			</div>
+			<p class="help-block">[[admin/settings/api:require-https-caveat]]</p>
+		</div>
+	</div>
 
+	<div class="row">
+		<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/api:tokens]]</div>
+		<div class="col-sm-10 col-xs-12">
 			<div class="form-group" data-type="sorted-list" data-sorted-list="tokens" data-item-template="admin/partials/api/sorted-list/item" data-form-template="admin/partials/api/sorted-list/form">
 				<input hidden="text" name="tokens">
 				<ul data-type="list" class="list-group"></ul>