Manual Review link provided by API can be opened without specifying credentials in Vantage

Symptoms

When utilizing the API, the Manual Review link is presented in the following format when retrieving transaction information:
https://vantage-{instance}.abbyy.com/manual-review?transactionId={transactionID}&documentIds={documentID}=&jobId={jobID}&accessToken={accessToken}.
The provided link can be accessed without the need to specify user credentials, which can be the potential security risk.

Cause

The access token, referred to as accessToken parameter, is appended to the URL. This enables the opening of the Manual Review link without the need to provide additional credentials on the Sign In form.

Resolution

The problem can be resolved by adjusting the review link before forwarding it in the workflow. The accessToken parameter should be completely removed from the link. In this scenario, the Sign In form will be displayed whenever an unauthorized user attempts to access the link. The URL need to be provided in the following format:

https://vantage-{instance}.abbyy.com/manual-review?transactionId={transactionID}&documentIds={documentID}=&jobId={jobID}

It is important to note that authorized users will have uninterrupted access to the Manual Review without needing any additional authorization.

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.