I lately came to play with the http api and I accidentally discovered (after changing my token), that I can still execute /callback/list,/callback/add and /callback/remove with the old token. It turned out, that in fact NO token is required for these actions, while the documentation clearly states, that you need a valid token.
I would call this a security flaw and it should be fixed to always require a valid token.
Note: I also checked a few API calls like /info or /list which seem to require a valid token, but I did NOT test all API calls.
Hi Klaus,
Thx for discovering this, it affected the /callback/... commands only.
The issue has been fixed with the now available 2.2.8 release.
regards,
Marc
1 Like