POST /api/v2/dns/fqdn returns 403 for all client types #10
Description
Summary
The SPAN API Client Docs describe three endpoints for FQDN management under /api/v2/dns/fqdn (POST, GET, DELETE), documented in the Endpoints Enabling FQDN Inclusion in Server Certificate SAN section. GET and DELETE work as documented, but POST returns 403 for all client registration methods.
Use Case
Home Assistant users who do not have mDNS on their network (blocked, different VLAN) and do not have a static IP on the panel rely on local DNS (e.g., Pi-hole, OPNsense, UniFi) to reach the panel via FQDN. The MQTT TLS connection uses PROTOCOL_TLS_CLIENT with hostname verification, so the FQDN must appear in the server certificate's SAN for the TLS handshake to succeed.
Observed Behavior
The panel's /api/v2/auth/clients endpoint shows two endpoint groups: dashboard and sensitive. Neither grants POST access to /api/v2/dns/fqdn.
| Auth Method | Endpoint Group | GET | DELETE | POST |
|---|---|---|---|---|
v2 passphrase (/api/v2/auth/register with hopPassphrase) |
dashboard |
200 | 200 | 403 |
v1 passphrase (/api/v1/auth/register with hopPassphrase) |
dashboard |
200 | 200 | 403 |
v2 proximity (/api/v2/auth/register door bypass) |
sensitive |
200 | 200 | 403 |
POST response body:
{"detail": "Client <name> not authorized to post on /api/v2/dns/fqdn"}Expected Behavior
Per the documentation: "All three endpoints require the accessToken obtained from the authentication endpoint." A valid accessToken obtained from /api/v2/auth/register should be able to POST to /api/v2/dns/fqdn.
Environment
- Firmware:
spanos3/r202603/06 - Panel: SPAN Panel (v2 API)
Request
Could the POST permission for /api/v2/dns/fqdn be granted to clients registered via the standard authentication endpoints? Proximity-based registration (sensitive group) would be a reasonable minimum requirement given the security implications of modifying the TLS certificate.