© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
5c6b958
demo site
(Get the code!)
Should these calls require any authentication at all (with a default policy configuration)? If the caller is in possession of a token, why should they not be able to validate or revoke it? Revoking your own token is analogous to "logging out."
I definitely *don't* think that these calls should receive special treatment in terms of how X-Auth-Token vs X-Subject-Token is handled. In other words, the X-Subject-Token should not be treated as an X-Auth-Token, and if policy.json requires authorization, that should apply to the X-Auth-Token.
I'm not sure if this is a security vulnerability though, because the token can still be revoked on the v2 API.