On HTTP Utility Services API — Syncthing documentation it says that “These services are available via HTTP on the GUI listen address, but in contrast to the REST API do not require any form of authentication or an API key.”
Hitting http://localhost:8384/meta.js or http://localhost:8384/qr/?text=test with curl, they seem to require --insecure to avoid SSL certificate problem and --header 'X-API-Key: xxx' to avoid 403 Forbidden. Are the docs are out of date, or is my system misconfigured in some way?
I initially saw it on syncthing v1.28.0 (debian build) on Ubuntu 24.10. But 1.29.4 exhibits this behavior too. Should I submit a PR to fix the docs or try to fix the code instead?
Just now I tried to reproduce using on alpine-linux 3.21, using syncthing-1.28.1-r4 which ought to be from between those versions you’ve experienced the issue with. I am still allowed to use the API unauthenticated, with identical results as on the OpenBSD machine.
My vote would be for trying to fix the code, or at least get to the bottom with why it happens on your machine but not one mine.
The only way I expect those paths to not require authentication if is you’ve not enabled authentication. I have no strong opinion either way, the QR thing is not sensitive but also not something I think we need to provide as a general service without authentication? meta.json similarly is probably not sensitive but no real reason to serve it without auth afaik…
Correct. No username or password enabled here. My sockets are always created in directories only the launching user has permissions to. Everyone able to connect can also read the configuration file.
If I read the code correctly, the documentation would for sure benefit from being updated. Any instance configured to require username and password authentication may be accessed without those, as an api key short-circuits that elevated security? That’s unexpected.