As an aside, we have this covered for the v3 api, it is just the v2 api that has the issue (i.e. the controller code that responds to the v3 delete user call already has the call to invalidate the tokens). So people calling the v3 api are not subject to this vulnerability.
+1 on the patch.
As an aside, we have this covered for the v3 api, it is just the v2 api that has the issue (i.e. the controller code that responds to the v3 delete user call already has the call to invalidate the tokens). So people calling the v3 api are not subject to this vulnerability.