From 231e8398f5ed7136b2442e7bbd498dfc42946558 Mon Sep 17 00:00:00 2001
From: Massimiliano <mbelletti@users.noreply.github.com>
Date: Mon, 2 Oct 2023 08:44:51 +0200
Subject: [PATCH] Add an option to disable auth api routes (#809)

---
 py4web/utils/auth.py | 56 +++++++++++++++++++++++---------------------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/py4web/utils/auth.py b/py4web/utils/auth.py
index dfd36e379..c47d10cb6 100644
--- a/py4web/utils/auth.py
+++ b/py4web/utils/auth.py
@@ -927,7 +927,7 @@ def enable_record_versioning(
                     current_record_label=current_record_label,
                 )
 
-    def enable(self, route="auth", uses=(), env=None, spa=False):
+    def enable(self, route="auth", uses=(), env=None, spa=False, allow_api_routes=True):
         """Enables Auth, aka generates login/logout/register/etc API pages"""
         self.route = route = route.rstrip("/")
         env = env or {}
@@ -944,35 +944,37 @@ def enable(self, route="auth", uses=(), env=None, spa=False):
 
         # This exposes all API actions as /{app_name}/{route}/api/{name}
         # and API Models as /{app_name}/{route}/api/{name}?@model=true
+        exposed_api_routes = []
+        if allow_api_routes:
 
-        # Exposed Public APIs
-        exposed_api_routes = [
-            dict(api_name=api_name, api_route=f"{route}/api/{api_name}", uses=auth)
-            for api_name in AuthAPI.public_api
-            if self.allows(api_name)
-        ]
-
-        # Exposed Private APIs
-        exposed_api_routes.extend(
-            [
-                dict(
-                    api_name=api_name,
-                    api_route=f"{route}/api/{api_name}",
-                    uses=auth.user,
-                )
-                for api_name in AuthAPI.private_api
+            # Exposed Public APIs
+            exposed_api_routes = [
+                dict(api_name=api_name, api_route=f"{route}/api/{api_name}", uses=auth)
+                for api_name in AuthAPI.public_api
                 if self.allows(api_name)
             ]
-        )
-
-        for item in exposed_api_routes:
-            api_factory = getattr(AuthAPI, item["api_name"])
-
-            @action(item["api_route"], method=methods)
-            @action.uses(item["uses"], *uses)
-            def _(auth=auth, api_factory=api_factory):
-                return api_factory(auth)
-
+    
+            # Exposed Private APIs
+            exposed_api_routes.extend(
+                [
+                    dict(
+                        api_name=api_name,
+                        api_route=f"{route}/api/{api_name}",
+                        uses=auth.user,
+                    )
+                    for api_name in AuthAPI.private_api
+                    if self.allows(api_name)
+                ]
+            )
+    
+            for item in exposed_api_routes:
+                api_factory = getattr(AuthAPI, item["api_name"])
+    
+                @action(item["api_route"], method=methods)
+                @action.uses(item["uses"], *uses)
+                def _(auth=auth, api_factory=api_factory):
+                    return api_factory(auth)
+    
         # This exposes all plugins as /{app_name}/{route}/plugins/{path}
         for name in self.plugins: