Don't miss out Virtual Happy Hour today (April 26).
Don't miss out Virtual Happy Hour today (April 26).
EPiServer.ContentDeliveryApi 1.0.1
EPiServer.ContentDeliveryApi 2.1.0
Jun 27, 2018
Oct 30, 2018
Closed, Fixed and tested
Steps to reproduce:
1. Create User1 as an inactive user (The Active checkbox is unchecked).
2. Create User2 as an active user, then make it locked (login with the wrong password 3 times).
3. Post an API request to create an access token for User1 or User2 above:
EPCMSHost/api/episerver/auth/token grant_type = password
Expected:
Returns a response code 401 Unauthorized with an informative error message.
Actual:
Creates access token successfully.
Note: Locked status is often temporary. Thus, it may be acceptable for creating a token. But Inactive status may be forever. So, it should be disallowed for authorization.