New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require auth for more API endpoints #2411
Conversation
One can surely discuss if auth is required for |
Without wanting to discuss these in particular, but it this yet another breaking change? Have they really been forgotten or were they just deemed not worth being "protected"? If so, who made the decision (please say it wasn't me... I don't recall)? |
Maybe, esp. for
Both can be true. I don't recall any discussion around this. |
api_FTL.php
Outdated
@@ -32,7 +32,7 @@ | |||
} | |||
} | |||
|
|||
if (isset($_GET['summary']) || isset($_GET['summaryRaw']) || !count($_GET)) { | |||
if (isset($_GET['summary']) || isset($_GET['summaryRaw']) || !count($_GET) && $auth) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is the intended behavior:
Here, you only need !count($_GET) && $auth
to be true
if the first 2 values were false
.
If any other value is true
, you don't need to be authenticated.
Example:
(true || false || false && false) == true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll add (...)
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: |
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/pi-hole-ftl-v5-20-and-web-v5-18-released/59959/1 |
For people who were also using |
Thanks for pointing this out. This is an unintended side-effect of the changes. There is no "default" response anymore if a password is set and no endpoint provided. We discuss internally how to proceed - but chances are high we'll also remove the "fall-back" option if no password is set to make both situation alike. |
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/api-php-most-functions-do-not-work/60104/2 |
…f API (which now has mandatory authentication) See: https://pi-hole.net/blog/2022/12/21/pi-hole-ftl-v5-20-and-web-v5-18-released/#page-content and: pi-hole/web#2411
Necessary due to recent planned changes with the Pi-hole web interface that have now gone into effect: https://pi-hole.net/blog/2022/11/17/upcoming-changes-authentication-for-more-api-endpoints-required/ and pi-hole/web#2411. Most API calls, including 'status' and 'summary', now require the Pi-hole API token, which can be obtained through the Settings > API page. Based on the 2nd link above, there may be some further changes in the future here.
Fixes issue changed in PiHole API https://pi-hole.net/blog/2022/11/17/upcoming-changes-authentication-for-more-api-endpoints-required/ Actual change is listed here: pi-hole/web#2411
What does this PR aim to accomplish?:
When connecting to the
API
, most endpoints required already authentication. However, some did not (or were forgotten). This PR adds authentication as a requirement to the missing endpoints, except:versions
,type
andversion
By submitting this pull request, I confirm the following:
git rebase
)