Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow "Get Version" from API to not require authentication #10453

Open
gbonk opened this Issue Apr 5, 2019 · 2 comments

Comments

Projects
None yet
4 participants
@gbonk
Copy link

gbonk commented Apr 5, 2019

Please provide the following information

qBittorrent version and Operating System

Running 4.2.0 Apha on Ubuntu 18.x

If on linux, libtorrent and Qt version

(type here)

What is the problem

(type here)

What is the expected behavior

(type here)

Steps to reproduce

(type here)

Extra info(if any)

I've been running the alpha for a little while and I've noticed that some third party tools that interface with qBittorrent using the API have broke. When Fixing the third party tools, I want to be able to use the API to get the version of the server and API so the tool can have blocks of code that are tuned to a specific version of qBitTorrent and making them backwards compatible.

There are already APIs for getApplicationVersion and Get API version, but I have to authenticate first. Because these are low risk / info only calls I think it would be safe to make these API available without authentication.

Also I do see that the version tends to be in the WebUI login page and IF it is available I could login and use that, but I can't be guaranteed the WebUI is there, as well as it's rather non-elegant.

@thalieht thalieht added the WebAPI label Apr 5, 2019

@Chocobo1

This comment has been minimized.

Copy link
Member

Chocobo1 commented Apr 6, 2019

There are already APIs for getApplicationVersion and Get API version, but I have to authenticate first.

It was deliberately designed to behave this way.

Because these are low risk / info only calls I think it would be safe to make these API available without authentication.

One similar example is hiding the apache server version, people (at least myself) don't want to give away version info to anyone.

I don't want the webAPI to become hard to use but I suppose it is still easy enough to always authenticate before getting the version?

Also I do see that the version tends to be in the WebUI login page and IF it is available I could login and use that

I would say this is overlooked, and you should not rely on the version here.

@Piccirello

This comment has been minimized.

Copy link
Contributor

Piccirello commented Apr 16, 2019

From a standpoint of absolute security, the version apis leak valuable information and should require authentication. But as a consumer of qbittorrent's api, the lack of pre-auth version checking is less than ideal. What if the auth url/protocol/anything changes in the future? It already changed once in api v2.

I think all third party apps should now default to api v2 (for all endpoints)- it's been out since 4.1.0 dropped in May 2018. But 11 months isn't long enough to drop support, so apps should provide an option to use the old apis (or default failover to them).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.