Authentication endpoint returns false-positive for test credentials

feedbin / feedbin-api

Feedbin API Documentation

349 stars 26 forks source link

Authentication endpoint returns false-positive for test credentials #33

Closed danielpunkass closed 5 years ago

danielpunkass commented 5 years ago

Invoke this curl command:

curl --user "test:test" https://api.feedbin.com/v2/authentication.json

Expected: 401 status authentication failure.

Actual: 200 status OK.

This causes a minor anomaly in NetNewsWire when attempting to login to Feedbing with test/test credentials: https://github.com/brentsimmons/NetNewsWire/issues/885

benubois commented 5 years ago

Hi @danielpunkass,

That surprised me too! However, I looked into it and test/test is actually a real account. It's an expired trial account created in 2015. Feedbin doesn't enforce any sort of email validation so it is perfectly valid.

danielpunkass commented 5 years ago

@benubois Fascinating! Thanks for looking into it. I guess instead this makes a good test case for NNW to handle expired accounts.

benubois commented 5 years ago

Ah, yeah good point. /v2/authentication.json will work regardless of account status, but other endpoints will return a 403 Forbidden response.