Summary
Currently, /api/v2/login doubles as both login and registration — any unknown username automatically creates an account. There is also no way to delete an account or its associated health data.
Issues
1. No separate registration
Anyone can create an account by sending a POST to /login with a new username. On a public instance, this allows unlimited account creation and storage usage.
2. No account deletion
There is no endpoint to delete a user account or its associated data (hcgateway_<userid> database). Users have no way to remove their data from the server.
Suggested changes
- Separate
/register and /login endpoints (optionally with invite codes or approval for public instances)
- Add a
DELETE /api/v2/account endpoint that removes the user document and drops the user's data database
- Both changes would also help with GDPR compliance for public instances
🤖 Generated with Claude Code
Summary
Currently,
/api/v2/logindoubles as both login and registration — any unknown username automatically creates an account. There is also no way to delete an account or its associated health data.Issues
1. No separate registration
Anyone can create an account by sending a POST to
/loginwith a new username. On a public instance, this allows unlimited account creation and storage usage.2. No account deletion
There is no endpoint to delete a user account or its associated data (
hcgateway_<userid>database). Users have no way to remove their data from the server.Suggested changes
/registerand/loginendpoints (optionally with invite codes or approval for public instances)DELETE /api/v2/accountendpoint that removes the user document and drops the user's data database🤖 Generated with Claude Code