Open severinbeauvais opened 7 months ago
@seeker25 Hi Travis, would the above described scenario even be a problem in Prod? Isn't Prod based on an one account - one login predicament?
At one point I think @kialj876 might have tried to lock down some of the endpoints. But I think it might have had some undesired side effects wrt to search maybe? I'm not sure.
At one point I think @kialj876 might have tried to lock down some of the endpoints. But I think it might have had some undesired side effects wrt to search maybe? I'm not sure.
Good point. If business search (or other APIs / jobs) use a service token to access Legal API endpoints, would they bypass the need to include an Account-Id header? If not, what's the solution here?
PS We might not need to solve this right away, but we should have an idea what's necessary to get there.
It was found that some Auth API and Legal API endpoints allow one account (eg, 668) to access a business not affiliated to it as long as it is affiliated to another account (eg, 2288) under the same login (eg, BCREG0020).
We need to determine the business requirements here.
Proposed solution:
The scope of this change is undetermined -- it would require developers to identify the affected API endpoints and UIs and estimate the amount of work required.
cc: @seeker25 @Mihai-QuickSilverDev @NaveenHebbale @davemck513 @OlgaPotiagalova @vysakh-menon-aot @argush3