> Still trying to make up my mind whether to consider this a "vulnerability".
I'm leaning towards yes.
> I suspect those tokens end up being denied after their validity period?
I don't believe that option existing in Folsom - UUID tokens should be denied immediately.
> Is there a way for the admin to disable the tokens manually?
Yes, you can delete tokens one at a time if you know the token ( DELETE :35357/v2.0/tokens/{token_id} )
My guess is that there is a difference in behavior between disabling a user and deleting a user (both should result in all associated tokens being revoked). As a workaround, I'd suggest disabling the user prior to deletion.
> Still trying to make up my mind whether to consider this a "vulnerability".
I'm leaning towards yes.
> I suspect those tokens end up being denied after their validity period?
I don't believe that option existing in Folsom - UUID tokens should be denied immediately.
> Is there a way for the admin to disable the tokens manually?
Yes, you can delete tokens one at a time if you know the token ( DELETE :35357/ v2.0/tokens/ {token_ id} )
My guess is that there is a difference in behavior between disabling a user and deleting a user (both should result in all associated tokens being revoked). As a workaround, I'd suggest disabling the user prior to deletion.
> Is that only affecting Folsom?
Probably, but grizzly needs to be tested as well.