Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

API authentication token routes should be secure

0 Kudos

API authentication token routes should be secure

Status: New Submitted by on ‎08-25-2016 08:01 PM
1 Comment (1 New)

Feature request from brendanmckeown, posted on GitHub Jan 20, 2016

Both of the API routes in module-integration/etc/webapi.xml to get an authentication token work over http. These routes should be secure and only acceptable over https, because you are passing sensitive account information in the request body. This can be achieved by adding secure="true" to each <route> node:

    <route url="/V1/integration/admin/token" method="POST" secure="true">
        <service class="Magento\Integration\Api\AdminTokenServiceInterface" method="createAdminAccessToken"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>
    <route url="/V1/integration/customer/token" method="POST" secure="true">
        <service class="Magento\Integration\Api\CustomerTokenServiceInterface" method="createCustomerAccessToken"/>
        <resources>
            <resource ref="anonymous"/>
        </resources>
    </route>

If this was an intentional decision, is there a way I can override this route in a custom module and enforce this behavior?

1 Comment
Mackelito
New Contributor
‎08-30-2016 07:11 AM
‎08-30-2016 07:11 AM

:removed: