Endpoints needs to authenticate user with jwt #9
Assignees
Labels
bug
Something isn't working
Comments
|
Changes:
|
|
Addressed in #13 |
|
This was addressed in 0.9.5. There are still endpoint that should have JWT validation, but we don't want to pass the JWT in the URL. This issue is tracked in #17 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version 0.9.2
Currently the jwt authentication helper validates the jwt as a valid jwt issued by the anchor, but doesn't actually check which user is authenticating. This means anyone can access anyone elses information, such as transaction history, just by authenticating as themself, or any other stellar address.
Endpoints such as
/transactionsshould get the stellar account from the jwt, rather than doing non-standard things like adding anaccountquery parameter to choose who's info to return./transactions?account=<>is not compliant with the spec and should be removed, using thesubaccount from the jwt instead.The text was updated successfully, but these errors were encountered: