|
|
|
|
|
|
by davikr
322 days ago
|
|
|
> I used the JWT to authorize login, but never confirmed that the JWT token belonged to the userId / email associated with it in the admin actions. So you could log in with my username and password, grab the JWT, and then send that along with your request. IANAWD: What is more appropriate than an admin token being able to authenticate admin actions? |
|
|
It's like I have a security access card to gain entry to a building, it's not really serving its purpose if I give you my pass and you turn up, they need to check it belongs to the person presenting it.