Hi FYERS team,
There is a security flaw in your process of issuing Access Token via Refresh Token.
1. SHA256 secret of AppID:AppSecret which is a mandatory parameter required (see Fyers v3 Docs), is NOT being validated by Fyers Auth Server. Here is the screenshot where even if we pass any random text in the appIdHash param, we get a successful access token in response.
Every time a user fetches Access token using Refresh token, the user should receive a NEW Refresh token and the OLDER Refresh token should become INVALID for any further usage. Currently, there is NO protection against REUSE of same Refresh token in a single day. This should protect against malicious user silently using used Refresh token to get access token when legitimate user was already logged in.
There MUST be an API call endpoint / Method in SDK / functionality on Apps Dashboard Webportal to LOG OUT of our custom API apps. Currently, there is NO such way to secure our running APIs incase of any security breach is noticed by legitimate user. Access token remains valid till day end, Refresh token remains valid for 15 days and no one can stop their usage. This is a major security concern that needs to be reviewed !