exchangeRefreshToken refreshes the token for the currently logged in user regardless of supplied userId

percolatestudio / meteor-google-api

A simple API encapsulating some common patterns regarding Google's APIs

https://atmospherejs.com/percolate/google-api

MIT License

48 stars 30 forks source link

exchangeRefreshToken refreshes the token for the currently logged in user regardless of supplied userId #42

Closed kodie closed 7 years ago

kodie commented 7 years ago

This line: https://github.com/percolatestudio/meteor-google-api/blob/master/google-api-methods.js#L8

Changes the userId to the currently logged in user even if a different userId is supplied.

jon-mann commented 7 years ago

the line you referenced is nested underneath if(this.connection) which will only be true if being called from a client. a call from a within server code can still call exchangeRefreshToken with an arbitrary userId. if this protection wasn't in place anyone could query this meteor method for an api token for any random user.