avnersorek
commented
7 years ago This was done in my last PR
On Dec 28, 2016 10:50 AM, "David Virtser" notifications@github.com wrote:
Assigned #29 https://github.com/dorbel-tech/dorbel-shared/issues/29 to @avnersorek https://github.com/avnersorek.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dorbel-tech/dorbel-shared/issues/29#event-906336868, or mute the thread https://github.com/notifications/unsubscribe-auth/ACHtjhe7e4xBOLMSgpuLhC1j1H1O4vyTks5rMiK3gaJpZM4LVzxb .
it's now possible to make a request without an authorization token but with the x-user-profile header and actually impersonate any user without a login. The gateway is using
shared.utils.userManagement.parseAuthTokenso it should remove any x-user-profile other then the one it creates