Is it sefe to get access to GET /api/jwt/refresh?userId={userId} method?
-
I can get all refresh tokens for user if I know the user id and API authorization key. Everybody can see authorization key. User id is data that never expires, can be stolen and does not have confidential character. Why do we have this method? I think it is easy way to get token for any user...
-
Hiya,
When you say
Everybody can see authorization key.
Who do you mean? Do you mean anyone with access to the FusionAuth admin console? Or some other set of users?