V6 - App Password without admin interface password?

crimsonalba · February 24, 2025, 10:47pm

Expected Behaviour:

I am expecting to be able to utilize an App Password, regardless of having a web interface password, or 2FA enabled.

Actual Behaviour:

I have generated a new App Password (and applied it). When I try to use this app password within the password property of the JSON body to POST /api/auth, I get this repsonse:

{
	"session": {
		"valid": true,
		"totp": false,
		"sid": null,
		"validity": -1,
		"message": "password incorrect"
	},
	"took": 6.29425048828125e-05
}

Stating the password is incorrect.

similiarly, if I try to send an empty string: password: "" I get "no password set" error.

The only thing I can think that is causing this, is that I dont have a web interface password set, and it seems that by default, the web interface password, and the default api password is the same. It seems like from reading the docs, that an App Password should work just fine, but I am wondering if there is a bug that is preventing an app password from working because I dont have a password set?

Debug Token:

Debug token: https://tricorder.pi-hole.net/dwaHwFON/

crimsonalba · March 8, 2025, 7:01pm

So i think I answered my own question. Doing a GET /api/auth

results in:

{
  "session": {
    "valid": true,
    "totp": true,
    "sid": null,
    "validity": -1,
    "message": "no password set"
  },
  "took": 0.00003361701965332031
}

Which the /api/docs page means authentication just isnt required for the API to function, even with an App Password set.

(I verified this by trying other GET endpoints, and I get data back)

system · March 29, 2025, 7:01pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.