PUT /api/subscribers/lists does not work with Authorization header

[fadorator]

Version:

• listmonk: 4.1.0
• OS: Linux (docker container)

Description of the bug and steps to reproduce:

The API endpoint /api/subscribers/lists with HTTP method PUT does not make any changes if called with Authorization header. At least not with action = remove and action = add.
If called with a cookie header, it works fine.

I tried to add and remove a subscriber from a list, which works fine with the cookie header.

This API call adds the subscriber 66 to list 1:

curl 'http://localhost:9000/api/subscribers/lists' \
  -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' \
  -H 'Cookie: session=mysessionid' \
  --data-raw '{"action":"add","list_ids":null,"target_list_ids":[1],"status":"confirmed","ids":[66]}'

This one does not:

curl 'http://localhost:9000/api/subscribers/lists' \
  -X PUT -H 'Accept: application/json' -H 'Content-Type: application/json' \
  -H 'Authorization: token myuser:mykey' \
  --data-raw '{"action":"add","list_ids":null,"target_list_ids":[1],"status":"confirmed","ids":[66]}'

Both calls return {"data":true}.

I created the first curl command by copying it from the Firefox developer tools and removed all irrelvant parameters. The second one is identical apart from the authorization.

Can anyone confirm this behaviour?

[github-actions]

This issue has been marked 'stale' after 90 days of inactivity. If there is no further activity, it will be closed in 7 days.