search

alexgolec / tda-api

A TD Ameritrade API client for Python. Includes historical data for equities and ETFs, options chains, streaming order book data, complex order construction, and more.
https://tda-api.readthedocs.io
MIT License
1.26k stars 335 forks source link

Enable limiting access scope #298

Closed alexgolec closed 2 years ago

codecov[bot] commented 2 years ago

Codecov Report

Merging #298 (b619c41) into master (c3a1e3b) will increase coverage by 0.00%. The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #298   +/-   ##
=======================================
  Coverage   99.58%   99.59%           
=======================================
  Files          19       19           
  Lines        2193     2219   +26     
  Branches      306      311    +5     
=======================================
+ Hits         2184     2210   +26     
  Misses          4        4           
  Partials        5        5
Flag Coverage Δ
unittests 99.59% <100.00%> (+<0.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
tda/auth.py 99.55% <100.00%> (+0.05%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update c3a1e3b...b619c41. Read the comment docs.

alexgolec commented 2 years ago

Upon testing, it appears that this functionality isn't actually implemented by TDA. Attempting to restrict scope to AccountAccess does not work: I can still place trades even though the account login flow does not show the "Place trades" message.

This is at best an oversight on TDA's part, and at worst a security vulnerability as applications could be crafted which claim to not support trading but secretly do. I'll be notifying TDA of this issue, and I'm shelving this change until they do.