I do not find an option to regenerate API token, and list the token has been used by which application. Moreover, the API seems have all access to all notebooks. I do not understand why an application like Web Clipper needs the access to read even write and remove all notes?
Is it possible to restrict the access to specific notebooks, or more fine granulation control of the access through API? I think the bottom line should be at least we should be able to deprecate a token that may be not safe anymore.
Good to know web clipper does not have access to all data. How about the token issue?
Only you can give access to an application to use the token, and usually these are scripts you run yourself on your computer so there’s not really a need to invalidate the token.
The feature could be added though, it’s easy, but it doesn’t feel very useful at this point.
The token can be sent out accidentally, or for testing some third party application. There are many cases the token needs to be invalidated. Even in something like PGP you have the option to invalidate your key, theoretically everyone should keep their own key private and secure. And this is also why we should change our password regularly, even if "Only you can give access to an application to use the token, and usually these are scripts you run yourself on your computer ".
The one key difference here being that PGP is meant for things like signing stuff you sent to others.
If you leak your API token from Joplin, the attacker needs to know your IP address (and if they’re on the internet and you’re behind a router, even that won’t help them), and you need to have joplin running, and you need to have a hole in your firewall that will let a request on a non-standard port pass through.
I’m not saying there shouldn’t be an option to invalidate it, there should. But I understand how this might not be such a huge priority.
ps: this might be more of an issue if people used the API to let it run on a server, for instance, to use Joplin ‘online’. Not sure how many people actually do that, though.
You are absolutely right. Currently, there is not much third party tools to access Joplin App through API. If someone develop a browser extension, and ask user to input their token. Then, essentially the user is sharing all his/her notes to the extension without any method to revoke the permission. Actually, even the first time, we are risking to lose all the control to our notes which are very crazy. So I think basically the API provided should strictly restrict to self use. No third-party extension should be encouraged. This risk should be stated more clearly in the application.
Is the API even accessible from anywhere besides the Localhost?
I think we're running in circle here. Again it's easy to add a button to refresh the token. Can you work on it? If not, you'll need to wait till someone does.
It's low priority because there's no known security issue with the API or the way the token is implemented. If you give the token to a third party, you need to assess yourself if you can trust the third-party (and, again, right now it's just custom scripts which you can inspect yourself). In case of a big problem, like you gave your token to a malware that wants to steal all your notes, you can always just switch off the service till a solution is found (in fact, you can just find the token in the profile database and change it manually).
In any case, if you find an actual security issue, feel free to provide a PoC so that the issue can be replicated and worked on.