From 87d4e6e2c5209d380c386a1d32be2e8810726286 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 7 Apr 2021 19:07:22 +0200
Subject: [PATCH] Add option API_DISABLE_LOGIN_API

---
 htdocs/api/class/api_login.class.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/htdocs/api/class/api_login.class.php b/htdocs/api/class/api_login.class.php
index b9666269cc1..5209cc51157 100644
--- a/htdocs/api/class/api_login.class.php
+++ b/htdocs/api/class/api_login.class.php
@@ -58,7 +58,11 @@ class Login
 	{
 		global $conf, $dolibarr_main_authentication, $dolibarr_auto_user;
 
-		// TODO Remove the API login. The token must be generated from backoffice only.
+		// Is the login API disabled ? The token must be generated from backoffice only.
+		if (! empty($conf->global->API_DISABLE_LOGIN_API)) {
+			dol_syslog("Warning: A try to use the login API has been done while the login API is disabled. You must generate or get the token from the backoffice.", LOG_WARNING);
+			throw new RestException(403, "Error, the login API has been disabled for security purpose. You must generate or get the token from the backoffice.");
+		}
 
 		// Authentication mode
 		if (empty($dolibarr_main_authentication)) {
@@ -87,7 +91,7 @@ class Login
 		}
 
 		include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php';
-		$login = checkLoginPassEntity($login, $password, $entity, $authmode, 'api');
+		$login = checkLoginPassEntity($login, $password, $entity, $authmode, 'api');		// Check credentials.
 		if (empty($login)) {
 			throw new RestException(403, 'Access denied');
 		}