Joplin REST API: Why are certain endpoints whitelisted?

Just beeing curious here.

Today, I was a bit buffled being able to write new Joplin notes despite not having passed the authentication token, which lead to the source code research. A more consequent (in my eyes better) strategy would be:

const whiteList = [['GET', 'ping']];

Though I only use the REST API from an external application, so I cannot say anything about Webclipper.

1 Like

They’re whitelisted because of the web clipper. I went on a similar digging trip earlier this year. I was attempting to determine how the web clipper was getting the token and I found out that the Webclipper doesn’t have the api token at all! At least, that was true when I last looked in March. It only calls those 4 APIs and those 4 APIs can be called without auth.

I think the idea is that the server only listens on localhost and you should secure you machine against intrusion, so it’s safe to leave those unauthed. And it is true that putting them behind auth would require some additional setup to get the webclipper and the client talking to each other.

Personally, I found it a bit strange too, but it is what it is. If you’re curious, this is the code that makes the api call in the web clipper. Looks like it’s still token-less.

1 Like

That’s correct, it even says so in the code:

		// For now, whitelist some calls to allow the web clipper to work
		// without an extra auth step

The clipper is bound to localhost, thus no remote access is allowed. The connection is http (unencrypted) so using a token is only useful to block other apps on that machine to do “dangerous” or sensitive operations by accident.

But running a network trace or packet capture will reveal the token, so don’t think that the clipper is in any way secure.

We have once again the premise that your local system is considered secure. If it isn’t, it’s not Joplin’s fault.


Thank you both! That makes sense

The web clipper has requested to fill in the token, so what is the significance of this api whitelist? @laurent


ref: I wrote a tag cloud website that can be used to view the usage of all tags

I don't know which web clipper you are using, but the Joplin Web Clipper does not ask for a token.

I never knew about this extension. . . However, there is almost no usability of ui/ux, if you can, it is recommended

If localhost is trusted for some endpoints, why not for all endpoints? Either localhost should trusted for everything or it should be suspect for everything. Nothing in between makes any sense (IMHO).

1 Like