Basic Authorization not on /api/server
It is expected that the server endpoint doesn't require authorization. What is the problem exactly?
The API reference states that GET has basicAuth and requires email and password. Can you update the API reference if it doesn't require authorization?
I've read it again. I don't necessarily want the server information publicly available. Am I reading it wrong?
Can you update the API reference if it doesn't require authorization?
Feel free to send a PR with the documentation update.
I don't necessarily want the server information publicly available. Am I reading it wrong?
What specifically are you concerned about?
I guess being read is one thing, allowing writes is another.
Mostly, I'd like more permissions around any access to the API. Access to back end information is undesirable in any scenario.
Mostly, the documentation states that I need email and password authentication to be able to read this information. So, I could've placed private information on the server page inadvertently.
Mostly, I need to know my limitations and boundaries with the software or I will be focusing time and effort in the wrong areas. Worse, I could potentially leave myself open in areas I am not aware of.
Again, you're welcome to contribute to the documentation if you think it's lacking currently.
It exposes default coordinates, map key etc without authentication.
That is expected. All those details are needed for all users.
I'd argue to Vinod's point that those details are needed for all authorized users. Public access exposes these details to non-authorized users as well.
It also provides some information that is needed to display login screen correctly.
This is accessible without login. Same for an instance I have running.
The API reference specifies that /server requires basic authorization: