Closed jjnesbitt closed 2 years ago
We've since expanded the use of users, and this is now a security issue. Due to user search and permissions, it's now possible to see the session token of other users, either by searching and looking at the returned object, or by observing the returned permissions data on a workspace that you're at least a maintainer of. This could then be used to sign in as that user.
Currently, in our
/user/info
endpoint, we return the user info, along with our tacked onmultinet
field of the following form:There's really no reason to include this in the api response, as the state of being logged in/logged out is kept as a cookie in the browser, and shouldn't need to be accessed programmatically.