Bug Possible security issue: API Login Token always allows permanent login

There is a bug in this version
K

Kirby

Guest
API call auth/login-token allows to request a login token that either logs the user in just for one session (remember = 0) or permanently (remember=1) .

However, this setting is not part of the token and thus not validated when the token is redeemed.

This allows every token to be used for a permanent login which might be a security issue.

Continue reading...