There are several Admin API calls that check for a token, when it is expected that these API will be protected on other ways (and many of the calls don't, so we don't have consistency).
Of the ones that do, some just check and don't do anything with the token - these should have that logic removed.
Others need to the user to call a command - but we have a different way to get a default admin (though we likely should clean that up too).
djbrooke
commented
3 years ago
There are several Admin API calls that check for a token, when it is expected that these API will be protected on other ways (and many of the calls don't, so we don't have consistency).
Of the ones that do, some just check and don't do anything with the token - these should have that logic removed. Others need to the user to call a command - but we have a different way to get a default admin (though we likely should clean that up too).