I'm forcing a match on my end at the moment, but I figured I'd log this as a potential bug or feature. The API isn't forcing the username to match up with the device id getting passed allowing any user to unpair any device.
I customized the scripts into server side code, so here's how the function looks on my end.
exports.pingid_unpair_device = function(pingid_username, pingid_deviceid, callback) {
var operationEndpoint = "unpairdevice/do";
var payload = {
"userName" : pingid_username,
"deviceId" : (pingid_deviceid == null) ? null : parseInt(pingid_deviceid),
"clientData" : null
};
pingid.send_pingid_request(operationEndpoint, payload, function(apiResponse) {
callback(apiResponse);
});
}
I'm forcing a match on my end at the moment, but I figured I'd log this as a potential bug or feature. The API isn't forcing the username to match up with the device id getting passed allowing any user to unpair any device.
I customized the scripts into server side code, so here's how the function looks on my end.