-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Currently signed in user can revoke other users tokens #1613
Comments
Thanks @sofianegargouri |
Just to be clear: Exploiting this bug requires possession of both users' tokens? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Steps to reproduce
skip_client_authentication_for_password_grant true
POST /revoke
with:Authorization: Bearer token_user_a
{ "token": "token_user_b" }
Expected behavior
Not sure it this is normal or not, but I cannot revoke my current token as well.
Actual behavior
System configuration
You can help us to understand your problem if you will share some very
useful information about your project environment (don't forget to
remove any confidential data if it exists).
Doorkeeper initializer:
`config/initializers/doorkeeper.rb` content
Ruby version:
3.1.2p20
Gemfile.lock:
Gemfile.lock content
The text was updated successfully, but these errors were encountered: