search

webflow / js-webflow-api

Node.js SDK for the Webflow Data API
https://www.npmjs.com/package/webflow-api
299 stars 97 forks source link

v2 auth code can access v1 app #163

Open kennethnanwu opened 2 months ago

kennethnanwu commented 2 months ago

I am doing v2 migration, and discover that I can use the new (v2) app's client_id to request for an authorization code, and use this auth code to get an access token for the v1 app.

That is, in authorizeURL, I used the v2 app client id

authorizeURL({
    state: "state",
    scope: "sites:read",
    clientId: "v2_app_client_id",
    redirctUri: "redirect_uri",
});

and when the redirect_uri gets an access code, I use it with the v1 app's client id and client secret

const accessToken = WebflowClient.getAccessToken({
  clientId: "v1_app_client_id", 
  clientSecret: "v1_app_client_secret",
  code: "authorization_code"
});

I expect this to fail, but I was able to get an access token successfully.

Is this intended, or is this a bug?

Thanks for the help in advance!

kennethnanwu commented 2 months ago

is it because the account I am using has granted access to the v1 app before?