API: Endpoint for API docs needs session cookie

[bastilimbach]

Describe the bug
Currently, you can not access the swagger API doc under https://yourKimaiInstance.com/api/doc.json without a valid session cookie. You need to generate this session cookie manually because the header fields "X-AUTH-USER" and "X-AUTH-TOKEN" don't work for this endpoint.

In my opinion, the documentation endpoint shouldn't need any authentication.

To Reproduce
Steps to reproduce the behavior:

1. Set X-AUTH-USER header
2. Set X-AUTH-TOKEN header
3. Execute GET request to https://demo-v2.kimai.org/api/doc.json

Response:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url=https://demo-v2.kimai.org/en/login" />

        <title>Redirecting to https://demo-v2.kimai.org/en/login</title>
    </head>
    <body>
        Redirecting to <a href="https://demo-v2.kimai.org/en/login">https://demo-v2.kimai.org/en/login</a>.
    </body>
</html>

If you execute a GET request using the authentication header to another endpoint (e.g /activities) a session cookie is created and the above /doc.json request works.

Expected behavior
The /doc.json should return the swagger documentation without authentication. If you think authentication is required, the headers X-AUTH-USER and X-AUTH-TOKEN need to work as expected.

Additional context
As you know, I'm currently converting Timeu to support Kimai2 instead of Kimai v1. In the process of doing that I need to get the API version, to validate that the entered Kimai URL to their custom Kimai Instance is correct. With the legacy Kimai API I sent a request to the JSON-RPC-2.0 documentation (core/json.php) to get the version. Using that I could validate the entered Kimai URL.

[kevinpapst]

Ok, the problem is this line:
https://github.com/kevinpapst/kimai2/blob/master/src/Security/TokenAuthenticator.php#L49
You can simply remove it to test this locally while I need to check why I added it.
For the meantime I patched it in the demo. This patch will be gone with the next automatic installation, so this will only work right now.
And I have to think about if authentication is required at all for this endpoint. Normally I would say: be as secure as possible.

[bastilimbach]

If you add the version number to the ping endpoint as described in #320, I'm totally fine with not being able to access the API doc without authentication.

I think security isn't an issue in this case. The returned JSON doesn't include any sensitive data. The only reason I can think of is, that you could determine the Kimai version and potentially use that information to exploit a bug which was only present in that specific Kimai version.

[kevinpapst]

I am closing this as I would prefer to not expose the API docs for unauthenticated users for now.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. If you use Kimai on a daily basis, please consider donating to support further development of Kimai.