Merge f1f66289da20e153e566bc2c52eb4175f99d6d8c into 98f4f118b2e4cfeb77bd65a76df9b88ee55c33a6

config/config.example.yml

@@ -205,7 +205,6 @@ https_only: false
 #  path: /tmp/invidious.sock
 #  permissions: 777
 
-
 # -----------------------------
 #  Network (outbound)
 # -----------------------------
@@ -228,7 +227,6 @@ https_only: false
 ##
 #pool_size: 100
 
-
 ##
 ## Additional cookies to be sent when requesting the youtube API.
 ##
@@ -263,7 +261,6 @@ https_only: false
 #  host:
 #  port:
 
-
 ##
 ## Use Innertube's transcripts API instead of timedtext for closed captions
 ##
@@ -344,7 +341,6 @@ https_only: false
 ##
 #statistics_enabled: false
 
-
 # -----------------------------
 #  Users and accounts
 # -----------------------------
@@ -456,12 +452,25 @@ full_refresh: false
 ##
 feed_threads: 1
 
+##
+## Setting to disable easy to abuse API endpoints that can
+## be spammed and therefore blocking your Invidious instance.
+##
+## Useful for public instance maintainers.
+##
+## Notes: The following API endpoints will be disabled:
+##  - /api/v1/videos
+##  - /api/v1/clips
+##  - /api/v1/transcripts
+##
+## Accepted values: true, false
+## Default: false
+##
+disable_abusable_api: false
 
 jobs:
-
   ## Options for the database cleaning job
   clear_expired_items:
-
     ## Enable/Disable job
     ##
     ## Accepted values: true, false
@@ -471,7 +480,6 @@ jobs:
 
   ## Options for the channels updater job
   refresh_channels:
-
     ## Enable/Disable job
     ##
     ## Accepted values: true, false
@@ -481,7 +489,6 @@ jobs:
 
   ## Options for the RSS feeds updater job
   refresh_feeds:
-
     ## Enable/Disable job
     ##
     ## Accepted values: true, false
@@ -489,7 +496,6 @@ jobs:
     ##
     enable: true
 
-
 # -----------------------------
 #  Miscellaneous
 # -----------------------------
@@ -688,7 +694,6 @@ default_user_preferences:
   ##
   #captions: ["", "", ""]
 
-
   # -----------------------------
   #  Interface
   # -----------------------------
@@ -790,7 +795,6 @@ default_user_preferences:
   ##
   #related_videos: true
 
-
   # -----------------------------
   #  Video player behavior
   # -----------------------------
@@ -854,7 +858,6 @@ default_user_preferences:
   ##
   #video_loop: false
 
-
   # -----------------------------
   #  Video playback settings
   # -----------------------------
@@ -966,7 +969,6 @@ default_user_preferences:
   ##
   #sort: published
 
-
   # -----------------------------
   #  Miscellaneous
   # -----------------------------

src/invidious.cr

@@ -217,6 +217,7 @@ end
 Kemal.config.powered_by_header = false
 add_handler FilteredCompressHandler.new
 add_handler APIHandler.new
+add_handler DisableAbusableAPIHandler.new
 add_handler AuthHandler.new
 add_handler DenyFrame.new
 

src/invidious/config.cr

@@ -183,6 +183,9 @@ class Config
   # Playlist length limit
   property playlist_length_limit : Int32 = 500
 
+  # Disable easy to abuse API endpoints
+  property disable_abusable_api : Bool = false
+
   def disabled?(option)
     case disabled = CONFIG.disable_proxy
     when Bool

src/invidious/helpers/handlers.cr

@@ -133,6 +133,26 @@ class APIHandler < Kemal::Handler
   end
 end
 
+class DisableAbusableAPIHandler < Kemal::Handler
+  {% for method in %w(GET HEAD) %}
+    # This endpoints make a video request to Invidious companion.
+    {% for endpoint in %w(videos clips transcripts) %}
+      only ["/api/v1/{{ endpoint.id }}/:id"], {{ method }}
+    {% end %}
+  {% end %}
+
+  def call(env)
+    return call_next env unless only_match?(env) && CONFIG.disable_abusable_api
+
+    env.response.content_type = "application/json"
+    env.response.status_code = 403
+    message = {"error" => "This API endpoint has been disabled by the administrator."}.to_json
+    env.response.print message
+    env.response.close
+    return
+  end
+end
+
 class DenyFrame < Kemal::Handler
   exclude ["/embed/*"]