feat(security): hardcode API mode and disable token authentication

- Hardcode APIMode=true in settings.h (const, cannot be changed)
- Remove accessToken from settings struct
- Disable token authentication (authorized=false permanently)
- Disable default_url feature - users must provide url parameter
- Remove api_mode and api_access_token from all config files
- Remove API_MODE and API_TOKEN environment variable support

This is a security enhancement that forces API-mode-only operation.
Users must provide url parameter for all conversions.
This commit is contained in:
Aethersailor
2025-12-29 17:19:15 +08:00
parent 65c1d28595
commit 92d690637b
7 changed files with 1231 additions and 1299 deletions

View File

@@ -1,9 +1,7 @@
[common]
;API mode, set to true to prevent loading local subscriptions or serving local files directly
api_mode=true
;API mode is hardcoded to true for security - cannot be configured
;Token authentication is disabled - users must provide url parameter
;Access token used for performing critical action through Web interface
api_access_token=password
;Default URLs, used when no URL is provided in request, use "|" to separate multiple subscription links, supports local files/URL
default_url=

View File

@@ -1,10 +1,8 @@
version = 1
[common]
# API mode, set to true to prevent loading local subscriptions or serving local files directly
api_mode = true
# API mode is hardcoded to true for security - cannot be configured
# Token authentication is disabled - users must provide url parameter
# Access token used for performing critical action through Web interface
api_access_token = "password"
# Default URLs, used when no URL is provided in request, use "|" to separate multiple subscription links, supports local files/URL
default_url = []

View File

@@ -1,6 +1,5 @@
common:
api_mode: true
api_access_token: password
# API mode is hardcoded to true - token auth disabled
default_url: []
enable_insert: true
insert_url: []