-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
False
-
-
False
-
-
Authenticated users are able to delete their passwords via a DELETE request to a user's credential ID endpoint. This is despite the user's password being marked as non-removable by a boolean. Upon this DELETE request being processed, a user will have their password deleted, preventing this user from logging in.
== Replication Steps
1. A user must obtain their credentials ID via intercepting a GET request made to the credential endpoint. The password credential is located under userCredentialMetadatas as id. See
2. A DELETE request can then be sent to the credentials ID endpoint. This request will remove the password from the user account.
3. A subsequent request to the credential endpoint will verify that the password credential no longer exists.
- links to