Without a login I can follow one of my old links after completely clearing my browser cache and get to see a side like this. Most of the times it doesn’t show any data. But there is one possibly critical case described below.
In case of shared links I am even able to access the complete side with all settings of the bot loaded.
Apparently this happens as soon as there is a share parameter in the URL, where it doesn’t matter if they are real or made up. If there isn’t any, we are redirected to the login page.
Even if logged out other users can access that homepage and display the password. Else they wouldn’t be able to get accross the login and also not able to find it out. Another reason why 2-factor authentication is a must!
The only region that loads the homepage but then re-directs to the login are the presets, but even to load the homepage seems to be wrong, too.
Maksym:
So I logged out and followed your links and I can see only login page.
As for bot page. Yes it was designed to be visible even for not logged in users. For not logged in users we show settings and info box. Logged in users will be able to see deals, orders, events, minigrids and profit chart. UUID of the bot is hidden in both cases
I was able to reproduce. I adjust logic page policy. In any case the app is not able to load anything except bot and backtest using share id.
This is correct that in settings page you see autofilling. In any case we do not send password from backend to frontend
Yes, but there’s no button to display it. Instead the user is able to see the email address. Now both parts of the credentials except of 2FA are known.