Open wd15 opened 1 year ago
In light of Circle CI's security incident this would be really needed.
I was digging through the code and found this:
By doing a password reset on my account, I was able to get a new token after the password reset.
@brint Unfortunately this does not revoke the old token. Here's how I tested it:
Got a token with surge token
, logged out and reset the password. Tried the previously issued token by doing surge list --token <token>
and it was still working.
Bump
I confirm that /token/reset
doesn't reset the token.
curl -vvv -XPOST https://surge.surge.sh/token/reset/[my email here]
Got a 201
back (with no authentication whatsoever 🤯), but token remains the same.
If at least we got access to their API documentation, we would have a workaround until the CLI is fixed
Can an existing token be revoked with the Surge CLI?
surge token --help
doesn't give any indications of possible sub-commands.