I don't believe this constitutes a security issue, because Google.retrieveCredential validates that key is a string before issuing any database queries, and the key is long and random. It may technically be possible (if you get your hand on a key) to swipe someone else's pending login by passing secret: {"$ne": null} or similar.
I think this is largely a case of "if you have root, it's easy to get root", but it seems like good practice to clean it up anyway.
I don't believe this constitutes a security issue, because
Google.retrieveCredential
validates thatkey
is a string before issuing any database queries, and the key is long and random. It may technically be possible (if you get your hand on a key) to swipe someone else's pending login by passingsecret: {"$ne": null}
or similar.I think this is largely a case of "if you have root, it's easy to get root", but it seems like good practice to clean it up anyway.