API Security documentation looks out of date?

[foxy82]

In the API Security documentation it talks about an api_key added to the appdaemon: section.

https://appdaemon.readthedocs.io/en/latest/APPGUIDE.html#api-security

However I think this has now moved to the http component and been renamed to password as per the http config docs here:

https://appdaemon.readthedocs.io/en/latest/CONFIGURE.html#configuring-the-http-component

[Justihar]

You will want to use one or the other. The password option will password protect the web interface and the API. You will need to pass x-ad-access with the password as a header to access the API. I am pretty sure the api_password will only protect the API but not the web interface.

[foxy82]

Hmm something isn't working here.

Setting:

appdaemon:
  api_password: something

http:
  url: http://127.0.0.1:5050

hadashboard:
admin:
api:

Lets me do a POST of http://[IP]:[PORT]/api/appdaemon/skill_name - without a password and I can see in the logs I start to process the request.

Setting:

appdaemon:

http:
  url: http://127.0.0.1:5050
  password: something
hadashboard:
admin:
api:

does protect the API with the password but the admin page seems to be unprotected.

Also slightly annoyingly if I comment out the admin I end up with this screen

It would be good to be able to supress this screen I'd rather not announce what I'm serving on this end point. I have to serve it externally to be able to use the alexa functionality.

[acockburn]

The docs seem up to date on this issue now, and the new AUI will return 404 if it is disabled - closing.