Disable API

[mrinnetmaki]

Risk analysis

• Risks of the implementation in this pull request have been analyzed with following results:
• Following items in the risk list are related to the implementation: [list of risk ids]

Significance

• Analysis, is the software change considered significant (ref. MDCG 2020-3, chart C), has been made with following result:
• This is a significant change, but no MDR certification is required as this is the end of life announcement for this service.

Security check-up

https://github.com/OWASP/www-project-top-ten/blob/master/index.md

• A01:2021-Broken Access Control - This changes access control a bit, but only by disabling functionality. Does not expose vulnerable data.
• A02:2021-Cryptographic Failures - No changes to crypto functionality.
• A03:2021-Injection - It's really hard to inject anything now.
• A04:2021-Insecure Design - The change was made quite fast, but no new attack vectors have been identified.
• A05:2021-Security Misconfiguration - No changes to security configs.
• A06:2021-Vulnerable and Outdated Components - There are some, but there's no point in updating them anymore.
• A07:2021-Identification and Authentication Failures - Should not matter as only feature left is deleting an account. And even existing accounts are useless and provide no access to data.
• A08:2021-Software and Data Integrity Failures - No changes here.
• A09:2021-Security Logging and Monitoring Failures - We could perhaps monitor whether anyone still tries to use the API. We can do that manually by inspecting load balancer accesss logs. No point in doing it here.
• A10:2021-Server-Side Request Forgery - Not applicable, no links or any input accepted.

[ReettaValimaki]

Approved post merge due to critical timing of the change