API authentication token routes should be secure

[brendanmckeown]

Both of the API routes in module-integration/etc/webapi.xml to get an authentication token work over http. These routes should be secure and only acceptable over https, because you are passing sensitive account information in the request body. This can be achieved by adding secure="true" to each <route> node:

    <route url="/V1/integration/admin/token" method="POST" secure="true">
        <service class="Magento\Integration\Api\AdminTokenServiceInterface" method="createAdminAccessToken"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>
    <route url="/V1/integration/customer/token" method="POST" secure="true">
        <service class="Magento\Integration\Api\CustomerTokenServiceInterface" method="createCustomerAccessToken"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>

If this was an intentional decision, is there a way I can override this route in a custom module and enforce this behavior?

[piotrekkaminski]

Thank you for your submission.

We recently made some changes to the way we process GitHub submissions to more quickly identify and respond to core code issues.

Feature Requests and Improvements should now be submitted to the new Magento 2 Feature Requests and Improvements forum (see details here).

We are closing this GitHub ticket and have moved your request to the new forum.