POST users does not require authentication. Is this intentional ?

vishalv2050 9 years ago

https://www.traccar.org/api-reference/#paths_users_POST
here is the api I am talking about. This feels weird. Essentially if I know where is a server running, can I create millions of users over on that DB ?

Anton Tananaev 9 years ago

What makes you think that it doesn't require authentication? That assumption is incorrect. It does require authentication.

vishalv2050 9 years ago

I can post to this url :
http://0.0.0.0:8082/api/users with just a single header (Content-Type : application/json). And no Authorization header.
And any body like 

{
    "attributes": {},
    "name": "vishal",
    "email": "test8",
    "password": "test8"
}

And a user gets created in the DB and get returned as part of the server response.

Postman
Anton Tananaev 9 years ago

It probably means that you have public registration enabled. Then you obviously can register new users.

vishalv2050 9 years ago

Ah ok. That makes sense!
Thanks for clarifying. I was really stumped by this.

elingtey 8 years ago

Hi Anton,
May I know how to disable registration button, I login to admin-> setting section, can't find any place to remove public registration button?

Anton Tananaev 8 years ago

You need to un-tick "Registration" checkbox in Settings > Server menu.