coder2z commented on issue #11738: URL: https://github.com/apache/apisix/issues/11738#issuecomment-2903974021
> > Security Issue: Unauthenticated User with Forged userid:安全问题:未经身份验证的用户,用户 ID 为伪造: > > Why doesn't the authentication service reject it in this case?在这种情况下,为什么身份验证服务不拒绝它? * Client doesn't send userid, only sends token * Auth service verifies the token and generates the correct userid * Need to ensure any potentially forged userid from the client is completely removed, using only the value generated by the auth service How this scene will appear -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
