feat(integrations): automatically disable googlereader/fever when not used

jvoisin · jvoisin · commit 5bae597e0b8e · 2025-07-15T17:53:02.000+02:00
When there is no user of Fever/GoogleReader, there is no need to expose their
endpoints. This reduces quite a bit the exposition surface of miniflux, while
not breaking any existing deployments, and is pretty self-contained.
diff --git a/internal/fever/handler.go b/internal/fever/handler.go
@@ -25,7 +25,9 @@ func Serve(router *mux.Router, store *storage.Storage) {
 	handler := &handler{store, router}
 
 	sr := router.PathPrefix("/fever").Subrouter()
-	sr.Use(newMiddleware(store).serve)
+	middleware := newMiddleware(store)
+	sr.Use(middleware.maybeUnauthorizedFever)
+	sr.Use(middleware.serve)
 	sr.HandleFunc("/", handler.serve).Name("feverEndpoint")
 }
 
diff --git a/internal/fever/middleware.go b/internal/fever/middleware.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 
 	"miniflux.app/v2/internal/http/request"
+	"miniflux.app/v2/internal/http/response"
 	"miniflux.app/v2/internal/http/response/json"
 	"miniflux.app/v2/internal/storage"
 )
@@ -21,6 +22,20 @@ func newMiddleware(s *storage.Storage) *middleware {
 	return &middleware{s}
 }
 
+func (m *middleware) maybeUnauthorizedFever(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if m.store.IsFeverUsed() {
+			next.ServeHTTP(w, r)
+		} else {
+			builder := response.New(w, r)
+			builder.WithStatus(http.StatusUnauthorized)
+			builder.WithHeader("Content-Type", "text/plain")
+			builder.WithBody("Unauthorized")
+			builder.Write()
+		}
+	})
+}
+
 func (m *middleware) serve(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		clientIP := request.ClientIP(r)
diff --git a/internal/googlereader/handler.go b/internal/googlereader/handler.go
@@ -49,6 +49,7 @@ func Serve(router *mux.Router, store *storage.Storage) {
 	sr := router.PathPrefix("/reader/api/0").Subrouter()
 	sr.Use(middleware.handleCORS)
 	sr.Use(middleware.apiKeyAuth)
+	sr.Use(middleware.maybeUnauthorizedGoogleReader)
 	sr.Methods(http.MethodOptions)
 	sr.HandleFunc("/token", handler.tokenHandler).Methods(http.MethodGet).Name("Token")
 	sr.HandleFunc("/edit-tag", handler.editTagHandler).Methods(http.MethodPost).Name("EditTag")
diff --git a/internal/googlereader/middleware.go b/internal/googlereader/middleware.go
@@ -25,6 +25,16 @@ func newMiddleware(s *storage.Storage) *middleware {
 	return &middleware{s}
 }
 
+func (m *middleware) maybeUnauthorizedGoogleReader(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if m.store.IsGoogleReaderUsed() {
+			next.ServeHTTP(w, r)
+		} else {
+			Unauthorized(w, r)
+		}
+	})
+}
+
 func (m *middleware) handleCORS(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
diff --git a/internal/storage/integration.go b/internal/storage/integration.go
@@ -52,6 +52,13 @@ func (s *Storage) UserByFeverToken(token string) (*model.User, error) {
 	}
 }
 
+func (s *Storage) IsFeverUsed() bool {
+	query := `SELECT true FROM integrations WHERE fever_enabled=true`
+	var result bool
+	s.db.QueryRow(query).Scan(&result)
+	return result
+}
+
 // GoogleReaderUserCheckPassword validates the Google Reader hashed password.
 func (s *Storage) GoogleReaderUserCheckPassword(username, password string) error {
 	var hash string
@@ -105,6 +112,13 @@ func (s *Storage) GoogleReaderUserGetIntegration(username string) (*model.Integr
 	return &integration, nil
 }
 
+func (s *Storage) IsGoogleReaderUsed() bool {
+	query := `SELECT true FROM integrations WHERE googlereader_enabled=true`
+	var result bool
+	s.db.QueryRow(query).Scan(&result)
+	return result
+}
+
 // Integration returns user integration settings.
 func (s *Storage) Integration(userID int64) (*model.Integration, error) {
 	query := `

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,9 @@ func Serve(router mux.Router, store storage.Storage) {`
`25`	`25`	`handler := &handler{store, router}`
`26`	`26`
`27`	`27`	`sr := router.PathPrefix("/fever").Subrouter()`
`28`		`- sr.Use(newMiddleware(store).serve)`
	`28`	`+ middleware := newMiddleware(store)`
	`29`	`+ sr.Use(middleware.maybeUnauthorizedFever)`
	`30`	`+ sr.Use(middleware.serve)`
`29`	`31`	`sr.HandleFunc("/", handler.serve).Name("feverEndpoint")`
`30`	`32`	`}`
`31`	`33`