Sorry? Please, if you don't like the way it is implemented, suggest you own way. This post is mostly about how to make it working at least, backend structure is not discussed here, just one of possible cases is shown. "Additional" stuff can be anything. Endpoint returning valid token is bad? Then how could application get appropriate tokens to access protected endpoints? Why is it dangerous? There is no other way for code to get tokens without requesting them. Please, if you tell that something is "bad", explain why. Owasp.org has some documents on web applications, but it doesn't tell anything about returning tokens from endpoint.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Sorry? Please, if you don't like the way it is implemented, suggest you own way. This post is mostly about how to make it working at least, backend structure is not discussed here, just one of possible cases is shown. "Additional" stuff can be anything. Endpoint returning valid token is bad? Then how could application get appropriate tokens to access protected endpoints? Why is it dangerous? There is no other way for code to get tokens without requesting them. Please, if you tell that something is "bad", explain why. Owasp.org has some documents on web applications, but it doesn't tell anything about returning tokens from endpoint.