Currently, we have the user's access to Spotify accounts determined by the client. See here.
This is bad design practice, as an attacker could just change the request and gain edit access (?) using our token and reputation. We don't want to do this, so fix it by moving all the permissions we need here.
This way, at least, an attacker can't arbitrarily change their permissions.
Currently, we have the user's access to Spotify accounts determined by the client. See here.
This is bad design practice, as an attacker could just change the request and gain edit access (?) using our token and reputation. We don't want to do this, so fix it by moving all the permissions we need here.
This way, at least, an attacker can't arbitrarily change their permissions.