cancel
Showing results for 
Search instead for 
Did you mean: 

API authentication token routes should be secure

0 Kudos

API authentication token routes should be secure

Feature request from brendanmckeown, posted on GitHub Jan 20, 2016

Both of the API routes in module-integration/etc/webapi.xml to get an authentication token work over http. These routes should be secure and only acceptable over https, because you are passing sensitive account information in the request body. This can be achieved by adding secure="true" to each <route> node:

    <route url="/V1/integration/admin/token" method="POST" secure="true">
        <service class="Magento\Integration\Api\AdminTokenServiceInterface" method="createAdminAccessToken"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>
    <route url="/V1/integration/customer/token" method="POST" secure="true">
        <service class="Magento\Integration\Api\CustomerTokenServiceInterface" method="createCustomerAccessToken"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>

If this was an intentional decision, is there a way I can override this route in a custom module and enforce this behavior?

1 Comment
Mackelito
New Contributor

:removed: