Merge pull request #88 from jaredhendrickson13/ui_upgrades

UI Upgrades & Features

Author: jaredhendrickson13

docs/documentation.json

@@ -4356,15 +4356,15 @@
 								"header": [],
 								"body": {
 									"mode": "raw",
-									"raw": "{\n    \"persist\": false, \n    \"jwt_exp\": 86400, \n    \"authmode\": \"token\",\n    \"hashalgo\": \"sha512\", \n    \"keybytes\": 64, \n    \"allowed_interfaces\": [\"WAN\"]\n}",
+									"raw": "{\n    \"persist\": false, \n    \"jwt_exp\": 86400, \n    \"authmode\": \"token\",\n    \"hashalgo\": \"sha512\", \n    \"keybytes\": 64, \n    \"allowed_interfaces\": [\"WAN\"],\n    \"custom_headers\": {\"custom-header-1\": \"Value1\", \"custom-header-2\": \"Value2\"},\n    \"allow_options\": true\n}",
 									"options": {
 										"raw": {
 											"language": "json"
 										}
 									}
 								},
 								"url": {
-									"raw": "https://{{$hostname}}/api/v1/system/api?enable=boolean&persist=boolean&readonly=boolean&available_interfaces=array&authmode=string&jwt_exp=integer&keyhash=string&keybytes=integer",
+									"raw": "https://{{$hostname}}/api/v1/system/api?enable=boolean&persist=boolean&readonly=boolean&allow_options=boolean&available_interfaces=array&authmode=string&jwt_exp=integer&keyhash=string&keybytes=integer&custom_headers=array",
 									"protocol": "https",
 									"host": [
 										"{{$hostname}}"
@@ -4391,6 +4391,11 @@
 											"value": "boolean",
 											"description": "Enable read only mode. If set to `true`, the API will only answer read (GET) requests. This also means you will not be able to disable read only mode from the API. "
 										},
+										{
+											"key": "allow_options",
+											"value": "boolean",
+											"description": "Enable/disable the OPTIONS request method from API responses. If set to `true`, the API will answer OPTIONS requests. If set to `false`, the API will return a 405 Method Not Allowed response. (optional)"
+										},
 										{
 											"key": "available_interfaces",
 											"value": "array",
@@ -4415,6 +4420,11 @@
 											"key": "keybytes",
 											"value": "integer",
 											"description": "Update the key byte strength to use when generating API tokens. Choices are `16`, `32` and `64`. This Is only applicable when the `authmode` setting Is set to `token`. (optional)"
+										},
+										{
+											"key": "custom_headers",
+											"value": "array",
+											"description": "Update the custom response headers for the API to return in API responses. This must be an array of key-value pairs (e.g. `{\"custom-header\": \"custom-header-value}`. To revert custom headers to the default state, simply pass in an empty array. In most cases, custom headers are not necessary. An example use case for custom headers is setting CORS policy headers required by some frontend web applications. (optional)"
 										}
 									]
 								},

pfSense-pkg-API/files/etc/inc/api/framework/APIEndpoint.inc

@@ -53,21 +53,42 @@ class APIEndpoint {
 
     # Listen for HTTP requests and call the corresponding method
     public function listen() {
+        $pkg_config = APITools\get_api_config()[1];
+
+        # Before responding, ensure the request method is allowed
         if ($_SERVER["REQUEST_METHOD"] === "GET") {
             $resp = (new APIQuery($this->get(), $this->query_excludes))->query();
-        } elseif ($_SERVER["REQUEST_METHOD"] === "POST") {
+        }
+        elseif ($_SERVER["REQUEST_METHOD"] === "POST") {
             $resp = $this->post();
-        } elseif ($_SERVER["REQUEST_METHOD"] === "PUT") {
+        }
+        elseif ($_SERVER["REQUEST_METHOD"] === "PUT") {
             $resp = $this->put();
-        } elseif ($_SERVER["REQUEST_METHOD"] === "DELETE") {
+        }
+        elseif ($_SERVER["REQUEST_METHOD"] === "DELETE") {
             $resp = $this->delete();
-        } else {
+        }
+        # Only allow OPTIONS requests if the allow options setting is checked
+        elseif ($_SERVER["REQUEST_METHOD"] === "OPTIONS" and isset($pkg_config["allow_options"])) {
+            $resp = APIResponse\get(0);
+        }
+        # Method is not allowed when no match, set error response
+        else {
             $resp = APIResponse\get(2);
         }
 
-        # Format the HTTP response as JSON and set response code
+        # Add custom response headers if configured
+        if (!empty($pkg_config["custom_headers"])) {
+            foreach ($pkg_config["custom_headers"] as $name=>$value) {
+                header(strval($name).": ".strval($value));
+            }
+        }
+
+        # Add API required response headers, these will override any custom headers
         header("Content-Type: application/json", true);
         header("Referer: no-referrer");
+
+        # Format the HTTP response as JSON and set response code
         http_response_code($resp["code"]);
         echo json_encode($resp) . PHP_EOL;
         session_destroy();

pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc

@@ -240,7 +240,19 @@ function get($id, $data=[], $all=false) {
             "status" => "bad request",
             "code" => 400,
             "return" => $id,
-            "message" => "Unsupport API token bytes count"
+            "message" => "Unsupported API token bytes count"
+        ],
+        1025 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "API custom headers must be an array containing key-value pairs"
+        ],
+        1026 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "API custom header key-value pairs must be string types"
         ],
 
         // 2000-2999 reserved for /services API calls

pfSense-pkg-API/files/etc/inc/api/models/APISystemAPIUpdate.inc

@@ -59,6 +59,15 @@ class APISystemAPIUpdate extends APIModel {
         }
     }
 
+    private function __validate_allow_options() {
+        # Check for our optional 'allow_options' payload value
+        if ($this->initial_data['allow_options'] === true) {
+            $this->validated_data["allow_options"] = "";
+        } elseif ($this->initial_data['allow_options'] === false) {
+            unset($this->validated_data["allow_options"]);
+        }
+    }
+
     private function __validate_allowed_interfaces() {
         # Local variables
         $non_config_ifs = array("any" => "Any", "localhost" => "Link-local");
@@ -85,6 +94,28 @@ class APISystemAPIUpdate extends APIModel {
         }
     }
 
+    private function __validate_custom_headers() {
+        # Check for our optional 'custom_headers' payload value
+        if (isset($this->initial_data["custom_headers"]) and !empty($this->initial_data["custom_headers"])) {
+            if (is_array($this->initial_data["custom_headers"])) {
+                # Loop through each requested header and ensure types are valid
+                foreach ($this->initial_data["custom_headers"] as $key=>$value) {
+                    if (!is_string($key) or !is_string($value)) {
+                        $this->errors[] = APIResponse\get(1026);
+                        break;
+                    }
+                }
+                $this->validated_data["custom_headers"] = $this->initial_data["custom_headers"];
+            } else {
+                $this->errors[] = APIResponse\get(1025);
+            }
+        }
+        # When the custom_headers was passed in but is empty, unset custom headers
+        elseif (isset($this->initial_data["custom_headers"]) and empty($this->initial_data["custom_headers"])) {
+            unset($this->validated_data["custom_headers"]);
+        }
+    }
+
     private function __validate_authmode() {
         # Check for our option 'authmode' payload value
         if (isset($this->initial_data["authmode"])) {
@@ -137,10 +168,12 @@ class APISystemAPIUpdate extends APIModel {
         $this->__validate_enable();
         $this->__validate_persist();
         $this->__validate_readonly();
+        $this->__validate_allow_options();
         $this->__validate_allowed_interfaces();
         $this->__validate_authmode();
         $this->__validate_jwt_exp();
         $this->__validate_keyhash();
         $this->__validate_keybytes();
+        $this->__validate_custom_headers();
     }
 }