From 9140808717745abbd30685e58ae0b985d9ec305f Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Mon, 16 Feb 2026 12:46:15 +0100
Subject: [PATCH 1/2] Add option to disable easy to abuse API endpoints

The API endpoints that will be disabled when this option are:
 - /api/v1/videos
 - /api/v1/clips
 - /api/v1/transcripts

There is still API endponts that need some sort of validation or
connection/proxying to Invidious companion like
`/api/v1/captions` and `/api/v1/storyboards` since they also do a video
request to Invidious companion. I'm not sure if the `/next` API endpoint
could be used to gather that type of information, if so, that would be
better.

Closes #5599
---
 config/config.example.yml         | 13 +++++++++++++
 src/invidious.cr                  |  1 +
 src/invidious/config.cr           |  3 +++
 src/invidious/helpers/handlers.cr | 20 ++++++++++++++++++++
 4 files changed, 37 insertions(+)

diff --git a/config/config.example.yml b/config/config.example.yml
index 08005a12..45f956fc 100644
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -436,6 +436,19 @@ full_refresh: false
 ##
 feed_threads: 1
 
+##
+## Setting to disable easy to abuse API endpoints that can
+## be spammed and therefore blocking your Invidious instance.
+##
+## Notes: The following API endpoints will be disabled:
+##  - /api/v1/videos
+##  - /api/v1/clips
+##  - /api/v1/transcripts
+##
+## Accepted values: true, false
+## Default: false
+##
+disable_api: false
 
 jobs:
 
diff --git a/src/invidious.cr b/src/invidious.cr
index d7c5b80b..09fbb624 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -217,6 +217,7 @@ end
 Kemal.config.powered_by_header = false
 add_handler FilteredCompressHandler.new
 add_handler APIHandler.new
+add_handler DisableAbusableAPIHandler.new
 add_handler AuthHandler.new
 add_handler DenyFrame.new
 
diff --git a/src/invidious/config.cr b/src/invidious/config.cr
index 7853d9a3..6e46f954 100644
--- a/src/invidious/config.cr
+++ b/src/invidious/config.cr
@@ -180,6 +180,9 @@ class Config
   # Playlist length limit
   property playlist_length_limit : Int32 = 500
 
+  # Disable easy to abuse API endpoints
+  property disable_api : Bool = false
+
   def disabled?(option)
     case disabled = CONFIG.disable_proxy
     when Bool
diff --git a/src/invidious/helpers/handlers.cr b/src/invidious/helpers/handlers.cr
index 7c5ef118..a30136b2 100644
--- a/src/invidious/helpers/handlers.cr
+++ b/src/invidious/helpers/handlers.cr
@@ -133,6 +133,26 @@ class APIHandler < Kemal::Handler
   end
 end
 
+class DisableAbusableAPIHandler < Kemal::Handler
+  {% for method in %w(GET HEAD) %}
+    # This endpoints make a video request to Invidious companion.
+    {% for endpoint in %w(videos clips transcripts) %}
+      only ["/api/v1/{{ endpoint.id }}/:id"], {{ method }}
+    {% end %}
+  {% end %}
+
+  def call(env)
+    return call_next env unless only_match?(env) && CONFIG.disable_api
+
+    env.response.content_type = "application/json"
+    env.response.status_code = 403
+    message = {"error" => "This API endpoint has been disabled by the administrator."}.to_json
+    env.response.print message
+    env.response.close
+    return
+  end
+end
+
 class DenyFrame < Kemal::Handler
   exclude ["/embed/*"]
 

From f1f66289da20e153e566bc2c52eb4175f99d6d8c Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Wed, 27 May 2026 10:37:50 -0400
Subject: [PATCH 2/2] Rename configuration variable, add additional comment for
 the option

---
 config/config.example.yml         | 17 +++--------------
 src/invidious/config.cr           |  2 +-
 src/invidious/helpers/handlers.cr |  2 +-
 3 files changed, 5 insertions(+), 16 deletions(-)

diff --git a/config/config.example.yml b/config/config.example.yml
index 45f956fc..e8b8f3d4 100644
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -185,7 +185,6 @@ https_only: false
 #  path: /tmp/invidious.sock
 #  permissions: 777
 
-
 # -----------------------------
 #  Network (outbound)
 # -----------------------------
@@ -208,7 +207,6 @@ https_only: false
 ##
 #pool_size: 100
 
-
 ##
 ## Additional cookies to be sent when requesting the youtube API.
 ##
@@ -243,7 +241,6 @@ https_only: false
 #  host:
 #  port:
 
-
 ##
 ## Use Innertube's transcripts API instead of timedtext for closed captions
 ##
@@ -324,7 +321,6 @@ https_only: false
 ##
 #statistics_enabled: false
 
-
 # -----------------------------
 #  Users and accounts
 # -----------------------------
@@ -440,6 +436,8 @@ feed_threads: 1
 ## Setting to disable easy to abuse API endpoints that can
 ## be spammed and therefore blocking your Invidious instance.
 ##
+## Useful for public instance maintainers.
+##
 ## Notes: The following API endpoints will be disabled:
 ##  - /api/v1/videos
 ##  - /api/v1/clips
@@ -448,13 +446,11 @@ feed_threads: 1
 ## Accepted values: true, false
 ## Default: false
 ##
-disable_api: false
+disable_abusable_api: false
 
 jobs:
-
   ## Options for the database cleaning job
   clear_expired_items:
-
     ## Enable/Disable job
     ##
     ## Accepted values: true, false
@@ -464,7 +460,6 @@ jobs:
 
   ## Options for the channels updater job
   refresh_channels:
-
     ## Enable/Disable job
     ##
     ## Accepted values: true, false
@@ -474,7 +469,6 @@ jobs:
 
   ## Options for the RSS feeds updater job
   refresh_feeds:
-
     ## Enable/Disable job
     ##
     ## Accepted values: true, false
@@ -482,7 +476,6 @@ jobs:
     ##
     enable: true
 
-
 # -----------------------------
 #  Miscellaneous
 # -----------------------------
@@ -681,7 +674,6 @@ default_user_preferences:
   ##
   #captions: ["", "", ""]
 
-
   # -----------------------------
   #  Interface
   # -----------------------------
@@ -783,7 +775,6 @@ default_user_preferences:
   ##
   #related_videos: true
 
-
   # -----------------------------
   #  Video player behavior
   # -----------------------------
@@ -847,7 +838,6 @@ default_user_preferences:
   ##
   #video_loop: false
 
-
   # -----------------------------
   #  Video playback settings
   # -----------------------------
@@ -959,7 +949,6 @@ default_user_preferences:
   ##
   #sort: published
 
-
   # -----------------------------
   #  Miscellaneous
   # -----------------------------
diff --git a/src/invidious/config.cr b/src/invidious/config.cr
index 6e46f954..80c46adc 100644
--- a/src/invidious/config.cr
+++ b/src/invidious/config.cr
@@ -181,7 +181,7 @@ class Config
   property playlist_length_limit : Int32 = 500
 
   # Disable easy to abuse API endpoints
-  property disable_api : Bool = false
+  property disable_abusable_api : Bool = false
 
   def disabled?(option)
     case disabled = CONFIG.disable_proxy
diff --git a/src/invidious/helpers/handlers.cr b/src/invidious/helpers/handlers.cr
index a30136b2..8395c7a4 100644
--- a/src/invidious/helpers/handlers.cr
+++ b/src/invidious/helpers/handlers.cr
@@ -142,7 +142,7 @@ class DisableAbusableAPIHandler < Kemal::Handler
   {% end %}
 
   def call(env)
-    return call_next env unless only_match?(env) && CONFIG.disable_api
+    return call_next env unless only_match?(env) && CONFIG.disable_abusable_api
 
     env.response.content_type = "application/json"
     env.response.status_code = 403