-
Bug
-
Resolution: Fixed
-
Normal
-
None
-
None
-
None
If you request a url that doesn't require authentication (for example /1/user/(user_name)/listens), but you also provide an Authorization header with invalid data, you get the information that you requested.
I'm not sure if it makes sense to validate this data on public endpoints or not. Thoughts?
One potential reason to verify on all requests is if we have a separate rate limit rate for authorised clients...
We don't do authorised rate limits currently. This came up recently when we wanted to bump up troi-bot's ratelimit. We hardcoded it to use a config value to avoid an extra db lookup on each call.