You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@usergrid.apache.org by "Lynch Lee (JIRA)" <ji...@apache.org> on 2016/11/12 04:40:58 UTC

[jira] [Commented] (USERGRID-1232) /revoketoken endpoint for admin user token does not require auth

    [ https://issues.apache.org/jira/browse/USERGRID-1232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15658996#comment-15658996 ] 

Lynch Lee commented on USERGRID-1232:
-------------------------------------

Yeah, this obvious is very dangerous for an admin user...

> /revoketoken endpoint for admin user token does not require auth
> ----------------------------------------------------------------
>
>                 Key: USERGRID-1232
>                 URL: https://issues.apache.org/jira/browse/USERGRID-1232
>             Project: Usergrid
>          Issue Type: Story
>            Reporter: Jeffrey 
>
> If I get an access token as an org admin user, that token can be revoked by anyone.
> For example, this request revokes all of the org admin access tokens for user amuramoto:
> curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens
> This also applies to the /revoketoken?token="someToken" endpoint
> An access token should be required to perform any operation on the /management endpoint. So the request would need to be something like...
> curl -X PUT https://api.usergrid.com/management/users/amuramoto/revoketokens?access_token="some_other_valid_token"
> Alternatively, the request could provide client id and secret.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)