Joplin REST API: Why are certain endpoints whitelisted?

bela53 · 25 August 2020 20:15

laurent22/joplin/blob/master/ReactNativeClient/lib/services/rest/Api.js#L144


		const fields = query.fields
			.split(',')
			.map(f => f.trim())
			.filter(f => !!f);
		return fields.length ? fields : defaultFields;
	}

	checkToken_(request) {
		// For now, whitelist some calls to allow the web clipper to work
		// without an extra auth step
		const whiteList = [['GET', 'ping'], ['GET', 'tags'], ['GET', 'folders'], ['POST', 'notes']];

		for (let i = 0; i < whiteList.length; i++) {
			if (whiteList[i][0] === request.method && whiteList[i][1] === request.path) return;
		}

		if (!this.token) return;
		if (!request.query || !request.query.token) throw new ErrorForbidden('Missing "token" parameter');
		if (request.query.token !== this.token) throw new ErrorForbidden('Invalid "token" parameter');
	}

Just beeing curious here.

Today, I was a bit buffled being able to write new Joplin notes despite not having passed the authentication token, which lead to the source code research. A more consequent (in my eyes better) strategy would be:

const whiteList = [['GET', 'ping']];

Though I only use the REST API from an external application, so I cannot say anything about Webclipper.

marcush · 3 September 2020 04:34

They’re whitelisted because of the web clipper. I went on a similar digging trip earlier this year. I was attempting to determine how the web clipper was getting the token and I found out that the Webclipper doesn’t have the api token at all! At least, that was true when I last looked in March. It only calls those 4 APIs and those 4 APIs can be called without auth.

I think the idea is that the server only listens on localhost and you should secure you machine against intrusion, so it’s safe to leave those unauthed. And it is true that putting them behind auth would require some additional setup to get the webclipper and the client talking to each other.

Personally, I found it a bit strange too, but it is what it is. If you’re curious, this is the code that makes the api call in the web clipper. Looks like it’s still token-less.

tessus · 5 September 2020 14:38

That’s correct, it even says so in the code:

		// For now, whitelist some calls to allow the web clipper to work
		// without an extra auth step

The clipper is bound to localhost, thus no remote access is allowed. The connection is http (unencrypted) so using a token is only useful to block other apps on that machine to do “dangerous” or sensitive operations by accident.

But running a network trace or packet capture will reveal the token, so don’t think that the clipper is in any way secure.

We have once again the premise that your local system is considered secure. If it isn’t, it’s not Joplin’s fault.

bela53 · 9 September 2020 13:42

Thank you both! That makes sense

rxliuli · 28 October 2020 01:10

The web clipper has requested to fill in the token, so what is the significance of this api whitelist? @laurent

ref: I wrote a tag cloud website that can be used to view the usage of all tags

tessus · 28 October 2020 01:41

I don't know which web clipper you are using, but the Joplin Web Clipper does not ask for a token.

rxliuli · 28 October 2020 03:59

I never knew about this extension. . . However, there is almost no usability of ui/ux, if you can, it is recommended

slowaak · 26 December 2020 13:22

If localhost is trusted for some endpoints, why not for all endpoints? Either localhost should trusted for everything or it should be suspect for everything. Nothing in between makes any sense (IMHO).

Topic		Replies	Views
API searching / filtering Development	11	1043	29 October 2019
API: only first arg accepted, can't specify fields Support	3	467	10 August 2022
Access to API? Support	5	527	8 April 2023
Web clipper 2.1.3 not working Support	30	1337	22 August 2021
API error for /tags since v229 Support	1	290	19 July 2020

Joplin REST API: Why are certain endpoints whitelisted?

Related Topics