From 44d030e88abc3a837eebc06227f2d5f05ecb551c Mon Sep 17 00:00:00 2001
From: Matthew O'Riordan <matthew.oriordan@gmail.com>
Date: Mon, 20 May 2013 07:33:26 +0200
Subject: [PATCH] Flag to enforce API requests over SSL

---
 config.default.json | 3 ++-
 lib/middleware.js   | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/config.default.json b/config.default.json
index df542b55..ae476cd3 100644
--- a/config.default.json
+++ b/config.default.json
@@ -48,7 +48,8 @@
     "report": []
   },
   "api": {
-    "allowAnonymous": true
+    "allowAnonymous": true,
+    "requireSSL": false
   },
   "blacklist": {
     "html": ["processform.cgi", "habbo.com"],
diff --git a/lib/middleware.js b/lib/middleware.js
index 999f326f..95f25c27 100644
--- a/lib/middleware.js
+++ b/lib/middleware.js
@@ -189,6 +189,15 @@ module.exports = {
 
       if (req.url.indexOf('/api') === 0) {
         req.isApi = true;
+
+        if (config.api.requireSSL) {
+          if (!req.secure && (String(req.headers['x-forwarded-proto']).toLowerCase() !== "https") ) {
+            res.status(403); // forbidden
+            res.json({ error: 'All API requests must be made over SSL/TLS' });
+            return;
+          }
+        }
+
         if (req.query.api_key) {
           apiKey = req.query.api_key;
         } else if (req.headers.authorization) {