Solved: I managed to make an api call without token. why?

hnaseri · ‎01-04-2018

Hello

I just did the following api without needing a token. I am really suprised now. Is it a security issue?

curl --request POST \
  --url http://magento.xxxx.com/index.php/rest/V1/customers \
  --header 'content-type: application/json' \
  --data '{"customer" : {"email" : "user3@example.com","firstname" : "John","lastname" : "Doe","storeId" : 1,"websiteId": 1},"password" : "Demo1234"}'

I saw my store and the customer was successfully created!

I tested this code on two places. 1- my computer, 2- a random digital ocean server

Tom Robertshaw · ‎01-04-2018

Some of the rest API endpoints are available anonymously, including the create account functionality - this mimics the fact that anyone can create a customer account on the frontend of the website.

It's actually one of the examples on this page http://devdocs.magento.com/guides/v2.0/get-started/authentication/gs-authentication.html

----
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!

View solution in original post

Tom Robertshaw · ‎01-04-2018

Some of the rest API endpoints are available anonymously, including the create account functionality - this mimics the fact that anyone can create a customer account on the frontend of the website.

It's actually one of the examples on this page http://devdocs.magento.com/guides/v2.0/get-started/authentication/gs-authentication.html

----
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!

I managed to make an api call without token. why?

I managed to make an api call without token. why?

Re: I managed to make an api call without token. why?

Re: I managed to make an api call without token. why?