|
|
|
|
|
|
by tly_alex
2212 days ago
|
|
|
The write-up is not very clear in my opinion.
The graph seems to show that there're 3 API calls (maybe there're more API calls in reality?). And if I understand this correctly, the issue is in the first API call, where the server does not validate whether the requester owns the Email address in the request. What confuses me are where're the "decoded JWT’s payload" comes from. Is it coming from a different API call or it's somewhere in the response? |
|
|