URL encoded API token security implications

[tvaupo]

Hello!
I believe that encoding the access token into the URL carries security risks as it exposes you to interception of said token. The proper approach would be to use a correct header - similarly as you implement application/json type already. Header should be:
"Authorization: Bearer "
Let me know if my assessment is incorrect or you have other considerations.

[dgraf-gh]

Hi @tvaupo,

yes it is deemed safer to use the authorization header.
Reitti accepts the token in following headers:
X-API-TOKEN: <token> or Authorization: Bearer <token> or in the token-parameter for places where you can´t set the token via a header. For example in the OwnTracks app.

Hope this information helps

[tvaupo]

Ah, so it already supports this, that's excellent. The Settings/Integrations/Mobile App Ingestion need to be updated then to reflect this, currently it shows only the URL encoded way of doing it. English strings:
https://github.com/dedicatedcode/reitti/blob/main/src/main/resources/messages.properties#L775-L784

[dgraf-gh]

I have created a new issue #676 out of this discussion.
Will also need to update the auto config button to include that header.

Thank you for the hint.

[tvaupo]

Thanks @dgraf-gh!