OH3 REST API security not consistent

I switched from OH2 to OH3 this week.Long time ago I wrote some small nodejs apps that interact with the REST API which help me to maintain my items and things. I was prepared that they would not work anymore as I would have to implement support for authentication.
When I tested my apps today (without any code changes in my nodejs apps) I was puzzled that some REST API methods still work while others throw errors because of authentication problems (as expected).
It seems that for example GET/things is not protected by authentication, even without sending auth data the OH server returns all things. This can also be reproduced by a simple browser call:

Other methods like GET/links however seem to be protected, they work when passing auth parameters but not with a simple browser call:

I am on OH3 Snapshot 2028 and the REST API is called from another computer in the local network.

Is this expected behaviour?

I would expect that would be needed for unauthenticated users (currently non-Admins) to be able to read the Thing channel data. I believe the intent, at this point, was to require authentication for write access.

But my 2 examples are both of type read access. One is open without auth (get/things) while the other read acces is blocked by auth (get/links). This does not make sense to me.

A fix for this was merged 3 days ago: https://github.com/openhab/openhab-core/pull/1807
According to https://ci.openhab.org/job/openHAB3-Distribution/ build #2028 is 5 days old.
You’re not current enough :grinning_face_with_smiling_eyes:

1 Like

ok, time to upgrade :joy:
Thank you very much for clarification!