morph1904
commented
4 years ago @daftwally
This is mostly intentional for the BETA of the app. The backing is a django REST framework application and this api navigator is there for debugging purposes. The only reason that it would be accessible outside of your network (from the internet) is if you are forwarding port 9090 to your ubuntu server. This is not necessary. You need only forward ports 9091, 80 and 443. The next release of the BETA will have a different version of this backend available which will operate differently.
I just installed Tyger2 (the ubuntu install, not docker) and I noticed that you get a Django REST framework page if you visit your install on port 9090 (instead of 9091 for the ui). The page is unstyled (it can load the css/js, I presume because it tries to load it from port 9090 on the host). On that page are the following links: "users": "http://example.com:9090/users/", "addresses": "http://example.com:9090/addresses/", "apps": "http://example.com:9090/apps/", "dns": "http://example.com:9090/dns/", "endpoint": "http://example.com:9090/endpoint/"
If you click these links you get a page with what seems to be a dump of some of the configuration. If you click the users link for example you get a list of the users, including the associated email. I havent found any passwords/hashes though. These pages also have forms on them to submit data and at least the users page let me create a user (albeit without password). Please note that this works from outside the network and without being logged in.