Overhauled UI to be more pfSense-like and organized, added custom_headers and allow_options fields to API configuration, updated /api/v1/system/api endpoint to accomodate changes, updated documentation

Author: jaredhendrickson13

docs/documentation.json

@@ -4356,15 +4356,15 @@
 								"header": [],
 								"body": {
 									"mode": "raw",
-									"raw": "{\n    \"persist\": false, \n    \"jwt_exp\": 86400, \n    \"authmode\": \"token\",\n    \"hashalgo\": \"sha512\", \n    \"keybytes\": 64, \n    \"allowed_interfaces\": [\"WAN\"]\n}",
+									"raw": "{\n    \"persist\": false, \n    \"jwt_exp\": 86400, \n    \"authmode\": \"token\",\n    \"hashalgo\": \"sha512\", \n    \"keybytes\": 64, \n    \"allowed_interfaces\": [\"WAN\"],\n    \"custom_headers\": {\"custom-header-1\": \"Value1\", \"custom-header-2\": \"Value2\"},\n    \"allow_options\": true\n}",
 									"options": {
 										"raw": {
 											"language": "json"
 										}
 									}
 								},
 								"url": {
-									"raw": "https://{{$hostname}}/api/v1/system/api?enable=boolean&persist=boolean&readonly=boolean&available_interfaces=array&authmode=string&jwt_exp=integer&keyhash=string&keybytes=integer",
+									"raw": "https://{{$hostname}}/api/v1/system/api?enable=boolean&persist=boolean&readonly=boolean&allow_options=boolean&available_interfaces=array&authmode=string&jwt_exp=integer&keyhash=string&keybytes=integer&custom_headers=array",
 									"protocol": "https",
 									"host": [
 										"{{$hostname}}"
@@ -4391,6 +4391,11 @@
 											"value": "boolean",
 											"description": "Enable read only mode. If set to `true`, the API will only answer read (GET) requests. This also means you will not be able to disable read only mode from the API. "
 										},
+										{
+											"key": "allow_options",
+											"value": "boolean",
+											"description": "Enable/disable the OPTIONS request method from API responses. If set to `true`, the API will answer OPTIONS requests. If set to `false`, the API will return a 405 Method Not Allowed response. (optional)"
+										},
 										{
 											"key": "available_interfaces",
 											"value": "array",
@@ -4415,6 +4420,11 @@
 											"key": "keybytes",
 											"value": "integer",
 											"description": "Update the key byte strength to use when generating API tokens. Choices are `16`, `32` and `64`. This Is only applicable when the `authmode` setting Is set to `token`. (optional)"
+										},
+										{
+											"key": "custom_headers",
+											"value": "array",
+											"description": "Update the custom response headers for the API to return in API responses. This must be an array of key-value pairs (e.g. `{\"custom-header\": \"custom-header-value}`. To revert custom headers to the default state, simply pass in an empty array. In most cases, custom headers are not necessary. An example use case for custom headers is setting CORS policy headers required by some frontend web applications. (optional)"
 										}
 									]
 								},

pfSense-pkg-API/files/etc/inc/api/framework/APIEndpoint.inc

@@ -53,21 +53,42 @@ class APIEndpoint {
 
     # Listen for HTTP requests and call the corresponding method
     public function listen() {
+        $pkg_config = APITools\get_api_config()[1];
+
+        # Before responding, ensure the request method is allowed
         if ($_SERVER["REQUEST_METHOD"] === "GET") {
             $resp = (new APIQuery($this->get(), $this->query_excludes))->query();
-        } elseif ($_SERVER["REQUEST_METHOD"] === "POST") {
+        }
+        elseif ($_SERVER["REQUEST_METHOD"] === "POST") {
             $resp = $this->post();
-        } elseif ($_SERVER["REQUEST_METHOD"] === "PUT") {
+        }
+        elseif ($_SERVER["REQUEST_METHOD"] === "PUT") {
             $resp = $this->put();
-        } elseif ($_SERVER["REQUEST_METHOD"] === "DELETE") {
+        }
+        elseif ($_SERVER["REQUEST_METHOD"] === "DELETE") {
             $resp = $this->delete();
-        } else {
+        }
+        # Only allow OPTIONS requests if the allow options setting is checked
+        elseif ($_SERVER["REQUEST_METHOD"] === "OPTIONS" and isset($pkg_config["allow_options"])) {
+            $resp = APIResponse\get(0);
+        }
+        # Method is not allowed when no match, set error response
+        else {
             $resp = APIResponse\get(2);
         }
 
-        # Format the HTTP response as JSON and set response code
+        # Add custom response headers if configured
+        if (!empty($pkg_config["custom_headers"])) {
+            foreach ($pkg_config["custom_headers"] as $name=>$value) {
+                header(strval($name).": ".strval($value));
+            }
+        }
+
+        # Add API required response headers, these will override any custom headers
         header("Content-Type: application/json", true);
         header("Referer: no-referrer");
+
+        # Format the HTTP response as JSON and set response code
         http_response_code($resp["code"]);
         echo json_encode($resp) . PHP_EOL;
         session_destroy();

pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc

@@ -240,7 +240,19 @@ function get($id, $data=[], $all=false) {
             "status" => "bad request",
             "code" => 400,
             "return" => $id,
-            "message" => "Unsupport API token bytes count"
+            "message" => "Unsupported API token bytes count"
+        ],
+        1025 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "API custom headers must be an array containing key-value pairs"
+        ],
+        1026 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "API custom header key-value pairs must be string types"
         ],
 
         // 2000-2999 reserved for /services API calls

pfSense-pkg-API/files/etc/inc/api/models/APISystemAPIUpdate.inc

@@ -59,6 +59,15 @@ class APISystemAPIUpdate extends APIModel {
         }
     }
 
+    private function __validate_allow_options() {
+        # Check for our optional 'allow_options' payload value
+        if ($this->initial_data['allow_options'] === true) {
+            $this->validated_data["allow_options"] = "";
+        } elseif ($this->initial_data['allow_options'] === false) {
+            unset($this->validated_data["allow_options"]);
+        }
+    }
+
     private function __validate_allowed_interfaces() {
         # Local variables
         $non_config_ifs = array("any" => "Any", "localhost" => "Link-local");
@@ -85,6 +94,28 @@ class APISystemAPIUpdate extends APIModel {
         }
     }
 
+    private function __validate_custom_headers() {
+        # Check for our optional 'custom_headers' payload value
+        if (isset($this->initial_data["custom_headers"]) and !empty($this->initial_data["custom_headers"])) {
+            if (is_array($this->initial_data["custom_headers"])) {
+                # Loop through each requested header and ensure types are valid
+                foreach ($this->initial_data["custom_headers"] as $key=>$value) {
+                    if (!is_string($key) or !is_string($value)) {
+                        $this->errors[] = APIResponse\get(1026);
+                        break;
+                    }
+                }
+                $this->validated_data["custom_headers"] = $this->initial_data["custom_headers"];
+            } else {
+                $this->errors[] = APIResponse\get(1025);
+            }
+        }
+        # When the custom_headers was passed in but is empty, unset custom headers
+        elseif (isset($this->initial_data["custom_headers"]) and empty($this->initial_data["custom_headers"])) {
+            unset($this->validated_data["custom_headers"]);
+        }
+    }
+
     private function __validate_authmode() {
         # Check for our option 'authmode' payload value
         if (isset($this->initial_data["authmode"])) {
@@ -137,10 +168,12 @@ class APISystemAPIUpdate extends APIModel {
         $this->__validate_enable();
         $this->__validate_persist();
         $this->__validate_readonly();
+        $this->__validate_allow_options();
         $this->__validate_allowed_interfaces();
         $this->__validate_authmode();
         $this->__validate_jwt_exp();
         $this->__validate_keyhash();
         $this->__validate_keybytes();
+        $this->__validate_custom_headers();
     }
 }

pfSense-pkg-API/files/usr/local/www/api/index.php

@@ -13,33 +13,35 @@
 //   See the License for the specific language governing permissions and
 //   limitations under the License.
 
-# Imports and inits
 include_once("util.inc");
 include_once("guiconfig.inc");
 require_once("api/framework/APITools.inc");
 
+# Initialize the pfSense UI page (note: $pgtitle must be defined before including head.inc)
 $pgtitle = array(gettext('System'), gettext('API'), gettext('Settings'));
 include('head.inc');
+echo "<link rel='stylesheet' href='/css/api.css'/>";
+echo "<script type='application/javascript' src='/js/api.js'></script>";
 $tab_array = [[gettext("Settings"), true, "/api/"], [gettext("Documentation"), false, "/api/documentation/"]];
 display_top_tabs($tab_array, true);    # Ensure the tabs are written to the top of page
 
-
 # Variables
 global $config;
 $form = new Form(false);
 $general_section = new Form_Section('General Settings');
 $token_section = new Form_Section('API Token Settings');
 $jwt_section = new Form_Section('JWT Settings');
-$advanced_section = new Form_Section('Advanced Settings');
+$advanced_section = new Form_Section('Advanced Settings', 'api-advanced-settings');
 $pkg_index = APITools\get_api_config()[0];
 $pkg_config = APITools\get_api_config()[1];
 
-# UPON POST
+# Generate new API token if requested
 if ($_POST["gen"] === "1") {
     $new_key = APITools\generate_token($_SESSION["Username"]);
     print_apply_result_box(0, "\nSave this API key somewhere safe, it cannot be viewed again: \n".$new_key);
 }
-# Rotate JWT server key requested
+
+# Rotate JWT server key if requested
 if ($_POST["rotate_server_key"]) {
     $config["installedpackages"]["package"][$pkg_index]["conf"]["keys"] = [];
     APITools\create_jwt_server_key(true);
@@ -54,6 +56,8 @@
     write_config(sprintf(gettext($change_note)));
     print_apply_result_box(0);
 }
+
+# Upon normal save, update changed values
 if (isset($_POST["save"])) {
     # Save enable value to config
     if (isset($_POST["enable"])) {
@@ -69,7 +73,7 @@
     if (isset($_POST["authmode"])) {
         $pkg_config["authmode"] = $_POST["authmode"];
     }
-    # Save JWT expiration value to coonfig
+    # Save JWT expiration value to config
     if (isset($_POST["jwt_exp"])) {
         $pkg_config["jwt_exp"] = $_POST["jwt_exp"];
     }
@@ -94,20 +98,53 @@
     } else {
         unset($pkg_config["readonly"]);
     }
-    # Write and apply our changes, leave a session variable indicating save, then reload the page
-    $config["installedpackages"]["package"][$pkg_index]["conf"] = $pkg_config;
-    $change_note = " Updated API settings";
-    write_config(sprintf(gettext($change_note)));
-    APITools\create_jwt_server_key();
-    print_apply_result_box(0);
+    # Save our allow OPTIONS value
+    if (isset($_POST["allow_options"])) {
+        $pkg_config["allow_options"] = "";
+    } else {
+        unset($pkg_config["allow_options"]);
+    }
+    # Save any custom headers specified
+    if (!empty($_POST["custom_headers"])) {
+        # Decode the JSON string to ensure it is valid
+        $headers = json_decode($_POST["custom_headers"], true);
+
+        # Only save the new value if it was a successfully decoded JSON string
+        if (is_array($headers)) {
+            # Loop through each requested header and ensure types are valid
+            foreach ($headers as $key=>$value) {
+                if (!is_string($key) or !is_string($value)) {
+                    print_input_errors(["Custom headers key-value pairs must be string types."]);
+                    $has_errors = true;
+                    break;
+                }
+            }
+            $pkg_config["custom_headers"] = $headers;
+        } else {
+            print_input_errors(["Custom headers must be a JSON string containing key-value pairs."]);
+            $has_errors = true;
+        }
+    } else {
+        unset($pkg_config["custom_headers"]);
+    }
+
+    # Only write changes if no errors occurred
+    if (!$has_errors) {
+        # Write and apply our changes, leave a session variable indicating save, then reload the page
+        $config["installedpackages"]["package"][$pkg_index]["conf"] = $pkg_config;
+        $change_note = " Updated API settings";
+        write_config(sprintf(gettext($change_note)));
+        APITools\create_jwt_server_key();
+        print_apply_result_box(0);
+    }
 }
 
 # Backup our configuration is persist is enabled and the request is a POST request
 if(isset($pkg_config["persist"]) and $_SERVER["REQUEST_METHOD"] === "POST") {
     shell_exec("/usr/local/share/pfSense-pkg-API/manage.php backup");
 }
 
-# POPULATE THE GENERAL SECTION OF THE UI
+# Populate the GENERAL section of the UI form
 $general_section->addInput(new Form_Checkbox(
     'enable',
     'Enable',
@@ -142,16 +179,26 @@
     $pkg_config["allowed_interfaces"],
     array_merge(["any" => "Any", "localhost" => "Link-local"], get_configured_interface_with_descr(true)),
     true
-));
+))->setHelp(
+    "Select interfaces that are allowed to respond to API requests."
+);
 
 $general_section->addInput(new Form_Select(
     'authmode',
     'Authentication Mode',
     $pkg_config["authmode"],
     ["local" => "Local Database", "token" => "API Token", "jwt" => "JWT"]
-));
+))->setHelp(
+    "Select the mode used to authenticate API requests See the <a href='/api/documentation/'>developer documentation</a>
+    for more information on API authentication."
+);
+
+# Add toggle button to show/hide the advanced settings
+$show_adv_btn = new Form_Button('display_advanced', 'Display Advanced', null, 'fa-cog');
+$show_adv_btn->setAttribute('type','button')->addClass('btn-info btn-sm')->setOnClick("toggle_advanced_settings()");
+$general_section->addInput(new Form_StaticText('Advanced Settings', $show_adv_btn));
 
-# POPULATE THE API TOKEN SECTION OF THE UI
+### Populate the API TOKEN section of the UI form
 $token_section->addInput(new Form_Select(
     'keyhash',
     'Token Hash Algorithm',
@@ -160,6 +207,7 @@
 ))->setHelp(
     "Hashing algorithm used when generating API tokens."
 );
+
 $token_section->addInput(new Form_Select(
     'keybytes',
     'Token Bit Strength',
@@ -169,7 +217,7 @@
     "Bit strength used when generating API tokens."
 );
 
-# POPULATE THE JWT SECTION OF THE UI
+### Populate the JWT section of the UI form
 $jwt_section->addInput(new Form_Input(
     'jwt_exp',
     'JWT Expiration',
@@ -181,43 +229,45 @@
     86400 seconds (1 day)."
 );
 
-# POPULATE THE ADVANCED SECTION OF THE UI
+### Populate the ADVANCED section of the UI form
+$advanced_section->addClass("hide-api-advanced-settings");
 $advanced_section->addInput(new Form_Checkbox(
     'allow_options',
     'OPTIONS Method',
     'Allow OPTIONS Request Method',
-    $pkg_config["allow_options"]
-))->setHelp("Allow API to answer OPTIONS requests. This is sometimes required for integration with frontend web applications.");
+    isset($pkg_config["allow_options"])
+))->setHelp(
+    "Allow API to answer OPTIONS requests. This is sometimes required for integration with frontend web applications."
+);
+
 $advanced_section->addInput(new Form_Textarea(
     'custom_headers',
-    'Custom Response Headers',
+    'Custom Headers',
     (is_array($pkg_config["custom_headers"])) ? json_encode($pkg_config["custom_headers"]) : ""
 ))->setHelp(
     'Specify custom response headers to return with API responses. This must be JSON encoded string containing key-value
-     pairs (e.g. {"test-header-name": "test-header-value"}). This may be required by some HTTP clients and frameworks.
+     pairs (e.g. <code>{"test-header-name": "test-header-value"}</code>). This may be required by some HTTP clients and frameworks.
      For example, this can be used to set CORS policy headers required by frontend web applications.'
 );
 
-
-# POPULATE OUR COMPLETE FORM
+# Populate the entire form
 $form->add($general_section);
 $form->add($advanced_section);
-
-# Only display the Token or JWT sections if they are the selected auth mode
 ($pkg_config["authmode"] === "token") ? $form->add($token_section) : null;
 ($pkg_config["authmode"] === "jwt") ? $form->add($jwt_section) : null;
+
+# Add buttons below the form
 $rotate_btn = new Form_Button('rotate_server_key', 'Rotate server key', null, 'fa-level-up');
 $rotate_btn->addClass('btn btn-sm btn-success');
 $rotate_btn->setOnclick("return confirm(\"Rotating the server key will void any existng API tokens and JWTs. Proceed?\");");
-$form->addGlobal($rotate_btn);
 $form->addGlobal(new Form_Button('save', 'Save', null, 'fa-save'))->addClass('btn btn-sm btn-primary api-save-btn');
+(in_array($pkg_config["authmode"], ["token", "jwt"])) ? $form->addGlobal($rotate_btn) : null;
 $form->addGlobal(new Form_Button('report', 'Report an Issue', 'https://github.com/jaredhendrickson13/pfsense-api/issues/new', ''))->addClass('fa fa-question-circle api-report');
 
-# PRINT OUR FORM AND PFSENSE FOOTER
+# Display the populated configuration form
 print $form;
-//print "<a style=\"float: right;\" class=\"fa fa-question-circle\" href='https://github.com/jaredhendrickson13/pfsense-api/issues/new'> <span style=\"font-family: 'Helvetica'; font-size: 14px;\">Report an Issue</span></a>";
 
-# POPULATE TOKEN TABLE
+# POPULATE TOKEN TABLE IF TOKEN AUTH MODE IS SET
 if ($pkg_config["authmode"] === "token") {
     # Pull credentials if configured
     $user_creds = APITools\get_existing_tokens($_SESSION["Username"]);