if one reads the source and knows the user / token id it is possible to get the user config info off the db.
this is a serious data leakage problem, as full user cfg contains db info, etc.
make the user cfg be either:
[ ] accessible via api token
[ ] OR via token passed in a query string
this is m2m api really, but must be exposed via www. therefore needs to be secured.
[ ] token should be configured in the maphive env
[ ] OR simply in the app config. all the derived apis will then use this cfg to obtain user config off the core api
if one reads the source and knows the user / token id it is possible to get the user config info off the db. this is a serious data leakage problem, as full user cfg contains db info, etc.
make the user cfg be either:
this is m2m api really, but must be exposed via www. therefore needs to be secured.