[brianfletcher]

If you use the setup url callback, you don't get any authorization code just an installation id and the setup action. So there is no means to verify that the user honestly owns the installation that they are providing. Because the number is so short, it's easy to guess every combination.

[eranation]

Right, agree and understand 100%, but if I do the authorization code flow (which I agree all apps should do) - is the 2nd check (of using the received token to check the user can access that installation) required? if they didn't have permission to install it, the callback wouldn't happen? I am feeling they imply a 3rd, interim diagram flow where you do the authorization code (instead of the setup URL that they should probably remove due to the risk) - but without the GET /user/installations check - I am trying to understand if they had a POC of that being exploitable (e.g. using a valid code but sending a different installation ID)

[brianfletcher]

Oh yeah I see what you mean. That sounds like we can optimize there. It's probably unlikely that a completely valid installation id and code comes back for the wrong app? I'm probably clutching at straws. Maybe the app is uninstalled by the time the redirect makes it back. Also unlikely. You are probably right that it is redundant.