POST users does not require authentication. Is this intentional ?
What makes you think that it doesn't require authentication? That assumption is incorrect. It does require authentication.
I can post to this url :
http://0.0.0.0:8082/api/users with just a single header (Content-Type : application/json). And no Authorization header.
And any body like
{
"attributes": {},
"name": "vishal",
"email": "test8",
"password": "test8"
}And a user gets created in the DB and get returned as part of the server response.
It probably means that you have public registration enabled. Then you obviously can register new users.
Ah ok. That makes sense!
Thanks for clarifying. I was really stumped by this.
Hi Anton,
May I know how to disable registration button, I login to admin-> setting section, can't find any place to remove public registration button?
You need to un-tick "Registration" checkbox in Settings > Server menu.
https://www.traccar.org/api-reference/#paths_users_POST
here is the api I am talking about. This feels weird. Essentially if I know where is a server running, can I create millions of users over on that DB ?