Is it possible to disable public access to an instance?

[tastytea]

Hi, I'm wondering if it is possible to disallow unauthenticated API access completely? My goal is that https://example.org/featured and so on doesn't show anything if I'm not logged in.

[Johann150]

It is not currently possible to do this inside of Misskey. There is an open PR #7709 in this direction but I can not tell if or when it will be merged.

You could maybe achieve something like this with using a VPN and IP address based nginx access rules to block access to all /api/ routes outside the VPN. This would still allow federation with other instances.

If you also do not want federation you could also use a VPN and block all outside access in a similar setup.

[tastytea]

Thank you! 💖

[tastytea]

It seems i can just flip requireCredential to true in the relevant files in packages/backend/src/server/api/endpoints/ and unauthenticated API access is denied? Seems to work so far… 🤔

[m0nnnna]

Can I ask how you were able to do this manually? Looking in the directory there are a lot of different options to set this configuration and I would like to automate it until there is an official feature if this does work.

[tastytea]

i just searched for requireCredential and changed it from false to true before building. there might be some endpoints that should be publicly accessible, so be careful when automating this. 😉

here is the patch i apply currently: misskey-13.14.2-disable-some-unauthenticated-API-requests.patch.txt. you can apply it with patch -p1 < misskey-13.14.2-disable-some-unauthenticated-API-requests.patch.txt in your misskey directory (had to rename .patch to .patch.txt because github doesn't take .patch files).