Today, I was a bit buffled being able to write new Joplin notes despite not having passed the authentication token, which lead to the source code research. A more consequent (in my eyes better) strategy would be:
const whiteList = [['GET', 'ping']];
Though I only use the REST API from an external application, so I cannot say anything about Webclipper.
They’re whitelisted because of the web clipper. I went on a similar digging trip earlier this year. I was attempting to determine how the web clipper was getting the token and I found out that the Webclipper doesn’t have the api token at all! At least, that was true when I last looked in March. It only calls those 4 APIs and those 4 APIs can be called without auth.
I think the idea is that the server only listens on localhost and you should secure you machine against intrusion, so it’s safe to leave those unauthed. And it is true that putting them behind auth would require some additional setup to get the webclipper and the client talking to each other.
Personally, I found it a bit strange too, but it is what it is. If you’re curious, this is the code that makes the api call in the web clipper. Looks like it’s still token-less.
// For now, whitelist some calls to allow the web clipper to work
// without an extra auth step
The clipper is bound to localhost, thus no remote access is allowed. The connection is http (unencrypted) so using a token is only useful to block other apps on that machine to do “dangerous” or sensitive operations by accident.
But running a network trace or packet capture will reveal the token, so don’t think that the clipper is in any way secure.
We have once again the premise that your local system is considered secure. If it isn’t, it’s not Joplin’s fault.