Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow "Get Version" from API to not require authentication #10453
Please provide the following information
qBittorrent version and Operating System
Running 4.2.0 Apha on Ubuntu 18.x
If on linux, libtorrent and Qt version
What is the problem
What is the expected behavior
Steps to reproduce
Extra info(if any)
I've been running the alpha for a little while and I've noticed that some third party tools that interface with qBittorrent using the API have broke. When Fixing the third party tools, I want to be able to use the API to get the version of the server and API so the tool can have blocks of code that are tuned to a specific version of qBitTorrent and making them backwards compatible.
There are already APIs for getApplicationVersion and Get API version, but I have to authenticate first. Because these are low risk / info only calls I think it would be safe to make these API available without authentication.
Also I do see that the version tends to be in the WebUI login page and IF it is available I could login and use that, but I can't be guaranteed the WebUI is there, as well as it's rather non-elegant.
It was deliberately designed to behave this way.
One similar example is hiding the apache server version, people (at least myself) don't want to give away version info to anyone.
I don't want the webAPI to become hard to use but I suppose it is still easy enough to always authenticate before getting the version?
I would say this is overlooked, and you should not rely on the version here.
From a standpoint of absolute security, the version apis leak valuable information and should require authentication. But as a consumer of qbittorrent's api, the lack of pre-auth version checking is less than ideal. What if the auth url/protocol/anything changes in the future? It already changed once in api v2.
I think all third party apps should now default to api v2 (for all endpoints)- it's been out since 4.1.0 dropped in May 2018. But 11 months isn't long enough to drop support, so apps should provide an option to use the old apis (or default failover to them).