devicehive-java-server icon indicating copy to clipboard operation
devicehive-java-server copied to clipboard

Published 20 hours ago verified publisher icon devicehive

Purpose of the /token/create api ?

Open babyangel0307 opened this issue 6 years ago • 0 comments

HI developers I'm confusing on the /token/create api. May i know the purpose of this api?

Since i think it has a security hole on it. A client user can grant any permission according to the following flow:

  1. A client user login itself
  2. Access token of client user default has MANAGE_TOKEN permission
  3. Client user can call /token/create api with ANY permission or User ID In this case, client can create an admin token or ANY permission token

babyangel0307 avatar Jul 27 '18 08:07 babyangel0307