Jiwa

Hi guys,

If this is sorted elsewhere, sorry, I haven't been able to locate on the forums.

I have a plugin to action some custom API routes, and am using API key authentication.
To enable this, I first needed to enable the "REST API" plugin, which in turn opened many other routes.
To mitigate this, I have imported "RestPaths" and disallowed everything except the custom routes.

However http://localhost:8080/Logs/Today, which does not require authentication, is still working, and shows the Authorization Bearer (API key) ...


Is it possible to completely disable all the default routes, while still allowing custom API plugins? Or is there an alternate way to fix this security hole?

Cheers,
Neil

Hi Neil,

You should turn off DebugMode in the System Settings - this will disable the request logging and prevent unwanted information disclosure.

We only intended the DebugMode to be on for testing / development purposes - and making the logs inaccessible unless logged in was making troubleshooting logging in problematic.

We could perhaps make a setting to make the viewing of request logs only if authenticated - that way there is a way to handle all scenarios. I've logged this as improvement DEV-7992.

Many thanks Mike, will do.

neil.interactit wrote:Is it possible to completely disable all the default routes, while still allowing custom API plugins? Or is there an alternate way to fix this security hole?

And to answer this: Yes, this is possible - change the default permission for the user group(s) to have the "Default REST API Permisssion" to be Undefined, and then only add to the REST API paths the routes you want to expose with the permission to be Allow.