Hi,
I’m working with an unmanaged raspberrypi3 in local mode (prod image).
Experimenting with the supervisor API I realized that I could successfully POST to the supervisor API from my laptop (or any other device in the same LAN) without any authorization token, even though this old post states that it shouldn’t be possible.
I was able to override the target state (deleting all the apps) with a query like this
~ $ curl -X POST --header 'Content-type: application/json' -d @state.json http://rpi3.local:48484/v2/local/target-state
{"status":"success","message":"OK"}%
So I would like to ask for clarification about which should be the expected behavior?