There is unauthorized access to the API, resulting in the disclosure of sensitive information

[topdayplus]

This api does not require login, obtains user information through user_id, and returns the user name, password, and email address in plain text.

It is like the preview address provided by the project, macwk.cc, and the backend service address is macwk.cc/api through the request body. So we can get any user information, including the administrator.

[Thecosy]

Sorry, this interface is the interface for the foreground to obtain other user information. It is open. I will authenticate him in the next version. And hide key information. thank you for your support