Feature request from brendanmckeown, posted on GitHub Jan 20, 2016
Both of the API routes in module-integration/etc/webapi.xml
to get an authentication token work over http. These routes should be secure and only acceptable over https, because you are passing sensitive account information in the request body. This can be achieved by adding secure="true"
to each <route>
node:
<route url="/V1/integration/admin/token" method="POST" secure="true">
<service class="Magento\Integration\Api\AdminTokenServiceInterface" method="createAdminAccessToken"/>
<resources>
<resource ref="anonymous"/>
</resources>
</route>
<route url="/V1/integration/customer/token" method="POST" secure="true">
<service class="Magento\Integration\Api\CustomerTokenServiceInterface" method="createCustomerAccessToken"/>
<resources>
<resource ref="anonymous"/>
</resources>
</route>
If this was an intentional decision, is there a way I can override this route in a custom module and enforce this behavior?