Skip to content

Purpose of the /token/create api ? #530

New issue
New issue
Open
Open
Purpose of the /token/create api ?#530
@babyangel0307

Description

@babyangel0307
babyangel0307
opened on Jul 27, 2018

HI developers
I'm confusing on the /token/create api.
May i know the purpose of this api?

Since i think it has a security hole on it.
A client user can grant any permission according to the following flow:

  1. A client user login itself
  2. Access token of client user default has MANAGE_TOKEN permission
  3. Client user can call /token/create api with ANY permission or User ID
    In this case, client can create an admin token or ANY permission token

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions