When using per user authentication, and returning media as URL instead of base64 encoded file in the response, the media URL itself is unsecured and accessible by unauthenticated users.
This is a huge security flaw - could not find in documentation how to address this. The files accessible via the media endpoint should ideally be secured using the same rules as the "parent" endpoints used to store them.
Or - am I missing something here?
The text was updated successfully, but these errors were encountered: