immich icon indicating copy to clipboard operation
immich copied to clipboard
verified publisher icon immich-app

[BUG] Missing authentication for API endpoints

Open l4rm4nd opened this issue 3 years ago • 3 comments

Describe the bug The following API endpoints do not require authentication:

  • /api/server-info/version
  • /api/server-info
  • /api/server-info/ping

To Reproduce Steps to reproduce the behavior:

Visit the following links without being logged in:

  • https://demo.immich.app/api/server-info
  • https://demo.immich.app/api/server-info/version
  • https://demo.immich.app/api/server-info/ping

Expected behavior The endpoints should only be accessible for authenticated users.

For the endpoint /api/server-info/stats e.g. authentication is required.

Screenshots

image

l4rm4nd avatar Dec 29 '22 21:12 l4rm4nd

One can argue that server stats should be protected, but version and ping should IMHO not require authentication.

This is even more true for the ping endpoint, as it could be used for healthchecks and liveness probes.

bt90 avatar Dec 30 '22 07:12 bt90

Yeah definitely.

Just wanted to start the discussion whether the endpoints are intended to be exposed.

Ping and health are typically exposed and ok, I agree. Just listed all.

Not so sure about the disk stats and version though. If there is a requirement, fine. However, I think these endpoints are worth to be protected.

l4rm4nd avatar Dec 30 '22 13:12 l4rm4nd

Hey, thanks for raising, I think it's worth evaluating if we can protected the server-info endpoint for sure, this info doesn't need to be exposed to unauthenticated users

zackpollard avatar Jan 23 '23 23:01 zackpollard