Not sure if it’s a bug or worth an issue but
Syncthing installed on a new ubuntu server, with apt-get from
deb http://apt.syncthing.net/ syncthing release
I wanted to make this server reachable with the REST api (that I already use a lot), so I went to the GUI and generated a new key from the configuration panel. GUI is password protected and https is activated. Saved and tried to reach my endpoint : “Not authorized”. Tried to restart syncthing : curl standard commands still “not authorized”
To be sure I tested the command on 2 other endpoints with their respective api keys, they work as expected :
curl -X GET -k -H "X-API-Key: REDACTED" https://127.0.0.1:8384/rest/system/status
Came back to the ubuntu server, restarted syncthing anew and at some point when opening the configuration panel, the api key was gone from the text field. I generated another one, again, retried, relaunched, updated syncthing, still nothing.
Then I logged into my command line, verified that syncthing was running as syncthing user, went into ~/.config/syncthing/ and did a
cat config.xml | grep apikey
and to my surprise the apikey saved in the config file was none of the 3-4 I generated from the start.
I tested this API key, and to my surprise, it worked… Double checked the config file, it’s the one from the running instance (matching folders, devices, some custom settings,…)
Tried again to generate a new key from configuration panel, saved the changes, restared to be sure and the new key shown in config panel still doesn’t work… and there is always the same key written in my config.xml … and this key still works.
If I stop syncthing from servicectl and try to reach it with the key from the config file… it doesn’t work anymore…
So to my conclusion : it seems that in some way, the key written in the config file is hardcoded, which worries me a lot. Am I missing something ? I must be missing something.
Any idea ?