is there a possibility to protect the JSON-API against “the whole world”? I want to restrict the access to my home automation server, but as far as I can see, there’s only the possibility to share it without restrictions.
Am I wrong? If not, this would be a feature request
@devnull I think the subject is PhoneTrack logging links.
@dora71 Even if you don’t need to be authenticated in Nextcloud to use those logging links, the session token acts like a sort of password so nobody can log to your sessions or get any information from them.
Even if you’re using the HTTP GET method to log, the URL path (/index.php/apps/phonetrack/…) is encrypted in the request, don’t worry about that.
But most probably, the answer form Julien is the same here.
Will think about that … most probably there is also a way to restrict the access on the webserver itself as long as the path (./apps/phonetrack/api/) does not change.
found a suitable solution for me. I am running Nextcloud in a docker container behind an Apache Proxy Server. For the API directory, I added the following in my virtual host config file from Apache Server (version 2.4.22):
<ProxyMatch "/apps/phonetrack/api" >
Require ip aa.bb.cc.dd
</ProxyMatch>
Works as expected, the link can only be called from IP-Address aa.bb.cc.dd
If somebody also or only wants to exclude the public link(s), the directory has to be changed to:
/apps/phonetrack/publicSessionWatch
Perhaps it is useful for someone.
Thanks again for your help and for developing PhoneTrack and Nextcloud. I love it.