OH3 REST API security not consistent

vossivossi · November 28, 2020, 8:39pm

I switched from OH2 to OH3 this week.Long time ago I wrote some small nodejs apps that interact with the REST API which help me to maintain my items and things. I was prepared that they would not work anymore as I would have to implement support for authentication.
When I tested my apps today (without any code changes in my nodejs apps) I was puzzled that some REST API methods still work while others throw errors because of authentication problems (as expected).
It seems that for example GET/things is not protected by authentication, even without sending auth data the OH server returns all things. This can also be reproduced by a simple browser call:
grafik

Other methods like GET/links however seem to be protected, they work when passing auth parameters but not with a simple browser call:
grafik

I am on OH3 Snapshot 2028 and the REST API is called from another computer in the local network.

Is this expected behaviour?

Bruce_Osborne · November 28, 2020, 8:59pm

I would expect that would be needed for unauthenticated users (currently non-Admins) to be able to read the Thing channel data. I believe the intent, at this point, was to require authentication for write access.

vossivossi · November 28, 2020, 9:30pm

But my 2 examples are both of type read access. One is open without auth (get/things) while the other read acces is blocked by auth (get/links). This does not make sense to me.

ysc · November 28, 2020, 9:34pm

A fix for this was merged 3 days ago: https://github.com/openhab/openhab-core/pull/1807
According to https://ci.openhab.org/job/openHAB3-Distribution/ build #2028 is 5 days old.
You’re not current enough

vossivossi · November 28, 2020, 9:43pm

ok, time to upgrade
Thank you very much for clarification!