Calendar Feed still accessible across API key/system changes

I recently switched from running nzbdrone in a vm on unraid to a docker running nzbdrone version 2.0.0.2064 and during that switch I have new api keys. I noticed that the url I used to access the calendar feed in Google Calendar is still working and when I click the link it downloads the ics file no problem even though the api key is from my old setup.

Not sure if this is meant to happen but it looks like it could be a security issue. I am by no means a programming/security expert but I feel if the url http://www.example.com/nzbdrone/feed/calendar/NzbDrone.ics?apikey=“apikey” should only return a result if the current api key is received by nzbdrone.

It may not be a big deal but I couldn’t find anyone else with this specific issue so I thought I would bring it to your attention.

As far as I can tell the calendar feed isn’t even protected.

I created a card in trello to track it,

@kayone It is authenticated and it works.

@wilsonic You likely have authentication disabled in Settings->General. The feed isn’t an api call, so doesn’t need apikey authentication unless you enabled UI user/pw auth.
Please note that if you expose nzbdrone on a public IP you should enable authentication. Because a remote host can easily access the UI urls to change anything they want.

I do have authentication disabled as I am using http auth with apache reverse proxy over ssl.

I have since noticed that if I follow the url before logging in that it throws up http auth as you would expect and such I can’t get it to connect through Google Calendar anymore as it apparently doesn’t support authenticated urls. https://productforums.google.com/forum/#!topic/calendar/vjSZRkJHaWA

I’m not experienced with apache config.
But I imagine it might be possible to have the apache reverse proxy to authenticate you to drone using basic auth, so you can have auth enabled in drone. While authenticating to apache using a different method.
Then you would have to add an exception in apache to pass through /feed/ that way you can have google use the apikey query parameter, or create a special reverse mapping for it on an entirely different url so you don’t affect the UI.

In any case, I’m closing the trello card. (and updating the topic)