The Owner of the Zopim dashboard account has an ability to Create agents and disable then, while disabling the an agent , it restricts him to access him to login to the dash board (this is ohk ) but you are not expiring the access_tokens . if access_tokens are reused we could gain access to the account again !
Think of a situation where an Owner creates an agent and gives administration access, when the Owner comes to know that its attacker profile , he just disables it ! but disabling the account doesnt seems secure here , the account can be used via
curl https://www.zopim.com/api/v2/agents \
"email": "firstname.lastname@example.org", \
"password": "secretpassword", \
"first_name": "attacker", \
"last_name": "Anon", \
"display_name": "Mr Robot", \
"enabled": 1, \
"im_server_id": "smith", \
-X POST -H "Authorization: Bearer `access_token_here`"
+ You could create an account !
(Sorry for low clarity :p )
Just expire the
access_tokens when the account is disabled like you do when you "delete" the account
Let me know if you need anything
Regards N B