fix: #8912

public/language/en-GB/admin/settings/api.json

@@ -1,9 +1,13 @@
 {
 	"tokens": "Tokens",
+	"settings": "Settings",
 	"lead-text": "From this page you can configure access to the Write API in NodeBB.",
 	"intro": "By default, the Write API authenticates users based on their session cookie, but NodeBB also supports Bearer authentication via tokens generated via this page.",
 	"docs": "Click here to access the full API specification",
 
+	"require-https": "Require API usage via HTTPS only",
+	"require-https-caveat": "<strong>Note</strong>: Some installations involving load balancers may proxy their requests to NodeBB using HTTP, in which case this option should remain disabled.",
+
 	"uid": "User ID",
 	"uid-help-text": "Specify a User ID to associate with this token. If the user ID is <code>0</code>, it will be considered a <em>master</em> token, which can assume the identity of other users based on the <code>_uid</code> parameter",
 	"description": "Description",

public/src/admin/settings.js

@@ -65,6 +65,7 @@ define('admin/settings', ['uploader', 'mousetrap'], function (uploader, mousetra
 
 		saveBtn.off('click').on('click', function (e) {
 			e.preventDefault();
+			console.log(fields);
 
 			saveFields(fields, function onFieldsSaved(err) {
 				if (err) {

src/routes/write/index.js

@@ -1,7 +1,7 @@
 'use strict';
 
-const nconf = require('nconf');
 const winston = require('winston');
+const meta = require('../../meta');
 const plugins = require('../../plugins');
 const middleware = require('../../middleware');
 const helpers = require('../../controllers/helpers');
@@ -10,10 +10,19 @@ const Write = module.exports;
 
 Write.reload = async (params) => {
 	const router = params.router;
+	let apiSettings = await meta.settings.get('core.api');
+	plugins.registerHook('core', {
+		hook: 'action:settings.set',
+		method: async (data) => {
+			if (data.plugin === 'core.api') {
+				apiSettings = await meta.settings.get('core.api');
+			}
+		},
+	});
 
 	router.use('/api/v3', function (req, res, next) {
 		// Require https if configured so
-		if (nconf.get('secure') && req.protocol !== 'https') {
+		if (apiSettings.requireHttps === 'on') {
 			res.set('Upgrade', 'TLS/1.0, HTTP/1.1');
 			return helpers.formatApiResponse(426, res);
 		}

src/views/admin/settings/api.tpl

@@ -1,9 +1,6 @@
 <!-- IMPORT admin/partials/settings/header.tpl -->
 
 <form role="form" class="core-api-settings">
-	<div class="row">
-		<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/api:tokens]]</div>
-		<div class="col-sm-10 col-xs-12">
 	<p class="lead">[[admin/settings/api:lead-text]]</p>
 	<p>[[admin/settings/api:intro]]</p>
 	<p>
@@ -13,6 +10,24 @@
 		</a>
 	</p>
 
+	<hr />
+
+	<div class="row">
+		<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/api:settings]]</div>
+		<div class="col-sm-10 col-xs-12">
+			<div class="checkbox">
+				<label class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input id="requireHttps" class="mdl-switch__input" type="checkbox" name="requireHttps" />
+					<span class="mdl-switch__label">[[admin/settings/api:require-https]]</span>
+				</label>
+			</div>
+			<p class="help-block">[[admin/settings/api:require-https-caveat]]</p>
+		</div>
+	</div>
+
+	<div class="row">
+		<div class="col-sm-2 col-xs-12 settings-header">[[admin/settings/api:tokens]]</div>
+		<div class="col-sm-10 col-xs-12">
 			<div class="form-group" data-type="sorted-list" data-sorted-list="tokens" data-item-template="admin/partials/api/sorted-list/item" data-form-template="admin/partials/api/sorted-list/form">
 				<input hidden="text" name="tokens">
 				<ul data-type="list" class="list-group"></ul>