Some system API endpoints have no JWT auth
nevets963 opened this issue · comments
Is there a reason why some API endpoints don't use JWT auth?
e.g.
/system/update-status
/system/backup-status
/system/memory
I'm more concerned about: /system/memory because it reveals some services running on the Umbrel instance and therefore could aid an attacker to search for vulnerabilities in third-party software to gain access to the Umbrel instance.
e.g.
uptime-kuma
https://testnet.getumbrel.com/manager-api/v1/system/memory
Yeah /system/update-status
is polled during the update process and during that the user will get logged out and so will no longer have a JWT. With regards to /system/backup-status
and /system/memory
I think you might be right, it looks like that could have been an oversight. Let me look into it and confirm that and get back to you. Thanks for letting us know!
You were right @nevets963, those endpoints shouldn't have been exposed without JWT auth. This is now resolved by #115. We'll do a new manager release and push an Umbrel update out asap with the updated manager image.
Great spot and thanks again for reaching out!