api: do not require sudo for GetAuth wrapper (#25968)

* api: do not require sudo for GetAuth wrapper

* changelog

api/sys_auth.go

@@ -20,7 +20,9 @@ func (c *Sys) GetAuthWithContext(ctx context.Context, path string) (*AuthMount,
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()
 
-	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/auth/%s", path))
+	// use `sys/mounts/auth/:path` so we don't require sudo permissions
+	// historically, `sys/auth` doesn't require sudo, so we don't require it here either
+	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/auth/%s", path))
 
 	resp, err := c.c.rawRequestWithContext(ctx, r)
 	if err != nil {

changelog/25968.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Do not require sudo for API wrapper functions GetAuth and GetAuthWithContext
+```

website/content/api-docs/system/auth.mdx

@@ -187,6 +187,11 @@ $ curl \
 ## Read auth method configuration
 
 This endpoints returns the configuration of the auth method at the given path.
+_This endpoint requires `sudo` capability on the final path, but the same
+functionality can be achieved without `sudo` via `sys/mounts/auth/[auth-path]`._
+
+- **`sudo` required** – This endpoint requires `sudo` capability in addition to
+  any path-specific capabilities.
 
 | Method | Path              |
 | :----- | :---------------- |
@@ -260,7 +265,7 @@ $ curl \
 
 ## Read auth method tuning
 
-- This endpoint reads the given auth path's configuration. This endpoint requires
+This endpoint reads the given auth path's configuration. _This endpoint requires
 `sudo` capability on the final path, but the same functionality can be achieved
 without `sudo` via `sys/mounts/auth/[auth-path]/tune`._