tristanmkernan
commented
6 years ago this is a critical bug, it allows arbitrary account takeover. consider:
- bad guy makes a million accounts
- bad guy deletes accounts
- innocnet users make accounts
- now bad guy can login as anyone
potential solution: instead of user_id, base tokens off email. not such a problem because we are emailing them the token anyway.
currently, jwt does not expire. is this ok?