by Joseph Pham.
Hi Nico
Thanks for this clear instruction. My team got a weird problem when applying this.
We use this API to get user token, we pass in username and password. But regardless of what password we use (even the wrong ones), correct token for this user is still returned! Only when we don't pass in password then return message will say we have no permission to perform this action. That's definitely not right. Could there be some settings somewhere that we misconfigured? Otherwise our system is open for intruders who only need to know some usernames.
The Tool we use to test this is POSTER plugin for Firefox. Our test system runs on localhost.
Thanks for your help.
Joseph