[Security] Restrict Access to /apidocumentation Endpoint

[adripo]

Description:

The /apidocumentation endpoint is currently accessible to all users, regardless of their authentication status. Exposing API documentation to unauthenticated users can lead to security risks.

Security Implications:

Allowing public access to API documentation can provide malicious actors with detailed information about the application's API endpoints, parameters, and expected responses. This information can be leveraged to discover potential vulnerabilities and devise attacks.

Recommendation:

To mitigate this risk, it is recommended to restrict access to the /apidocumentation endpoint so that only authenticated users can view the API documentation. This ensures that sensitive information about the API is not exposed to unauthorized users.

[Forceu]

There is no user-facing direct link to the documentation. As this an open source project, they could simply access the openapi.json in the project repository.

The API interaction requires authorisation and therefore this is not a security issue.

[adripo]

Thank you for your prompt response and for the clarification @Forceu .

While it's true that there is no user-facing direct link to the documentation and that the project is open source, I believe that restricting access to the '/apidocumentation' endpoint could still provide additional security benefits. Here are a few points for consideration:

• Security Through Obscurity: While the concept of security through obscurity is not a primary defense mechanism, it can add an additional layer of security. Restricting access to API documentation can prevent unauthorized users from easily discovering the structure and endpoints of your API, even if they have access to the openapi.json file.

• Minimizing Exposure: Limiting access to sensitive information, even in open source projects, can help minimize potential attack vectors. While the API interaction requires authorization, providing less information publicly can reduce the risk of potential misuse or exploitation.

• Best Practices: Many organizations and projects follow the best practice of restricting access to API documentation to authenticated users, even for open source projects. This can help in maintaining a standard approach to security and access control.

I appreciate your consideration of this recommendation. If you still believe that no changes are necessary, I understand and respect that decision. Thank you for all your hard work on this project.