Use server-side password generator for generating token.

Fix setup correctly writing the value for API to mailu.env
Normalize env vars for front container.
Update reverse proxy with API information.

core/nginx/conf/nginx.conf

@@ -252,7 +252,7 @@ http {
       {% endif %}
       {% endif %}
 
-      {% if API == 'true' %}
+      {% if API %}
       location ~ {{ WEB_API or '/api' }} {
         include /etc/nginx/proxy.conf;
         proxy_pass http://$admin;

core/nginx/config.py

@@ -5,8 +5,7 @@ import logging as log
 import sys
 from socrate import system, conf
 
-system.set_env()
+args = system.set_env()
-args = os.environ.copy()
 log.basicConfig(stream=sys.stderr, level=args.get("LOG_LEVEL", "WARNING"))
 
 args['TLS_PERMISSIVE'] = str(args.get('TLS_PERMISSIVE')).lower() not in ('false', 'no')

docs/reverse.rst

@@ -70,14 +70,14 @@ Then on your own frontend, point to these local ports. In practice, you only nee
   REAL_IP_FROM=x.x.x.x,y.y.y.y.y
   #x.x.x.x,y.y.y.y.y is the static IP address your reverse proxy uses for connecting to Mailu.
 
-Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav``, the client-autoconfiguration and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
+Because the admin interface is served as ``/admin``, the RESTful API as ``/api``, the Webmail as ``/webmail``, the single sign on page as ``/sso``, webdav as ``/webdav``, the client-autoconfiguration and the static files endpoint as ``/static``, you may also want to use a single virtual host and serve other applications (still Nginx):
 
 .. code-block:: nginx
 
   server {
     # [...] here goes your standard configuration
 
-    location ~* ^/(admin|sso|static|webdav|webmail|(apple\.)?mobileconfig|(\.well\-known/autoconfig/)?mail/|Autodiscover/Autodiscover) {
+    location ~* ^/(admin|api|sso|static|webdav|webmail|(apple\.)?mobileconfig|(\.well\-known/autoconfig/)?mail/|Autodiscover/Autodiscover) {
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_pass https://localhost:8443;

setup/static/render.js

@@ -1,7 +1,5 @@
-//API_TOKEN generator
+//Store API token in variable.
-var random_array = new Uint32Array(2);
+var token = $("#api_token").val();
-crypto.getRandomValues(random_array);
-var token =  random_array[0].toString() + random_array[1].toString();
 
 $(document).ready(function() {
 	if ($("#webmail").val() == 'none') {
@@ -39,7 +37,7 @@ $(document).ready(function() {
 });
 
 $(document).ready(function() {
-	if ($('#api').prop('checked')) {
+	if ($('#api_enabled').prop('checked')) {
 		$("#api_path").show();
 		$("#api_path").val("/api")
 		$("#api_token").show();
@@ -54,7 +52,7 @@ $(document).ready(function() {
 		$("#api_token").val("");
 		$("#api_token_label").hide();
 	}
-	$("#api").change(function() {
+	$("#api_enabled").change(function() {
 		if ($(this).is(":checked")) {
 			$("#api_path").show();
 			$("#api_path").val("/api");

setup/templates/steps/config.html

@@ -93,11 +93,11 @@ manage your email domains, users, etc.</p>
   It is not possible to use the API without an API token.</p>
 
   <div class="form-group">
-      <input type="checkbox" name="api_enabled" value="true" id="api" >
+      <input type="checkbox" name="api_enabled" value="true" id="api_enabled" >
       <label>Enable the API (and path to the API)</label>
       <input class="form-control" type="text" name="api_path" id="api_path" style="display: none">
       <label name="api_token_label" id="api_token_label">API token</label>
-      <input class="form-control" type="text" name="api_token" id="api_token" style="display: none">
+      <input class="form-control" type="text" name="api_token" id="api_token" style="display: none" value="{{ secret(32) }}">
   </div>
 
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>