DEF-026 — Six endpoints require the auth token duplicated in the request body

Backend
Medium severity
New
Defect DEF-026 — Severity: Medium · Status: New
Published

2026-06-17

DEF-026 — Six endpoints require the auth token duplicated in the request body

Summary

Six authenticated endpoints silently fail unless the Bearer token is sent twice: once in the Authorization header (as every other authenticated endpoint requires) and again as access_token inside the request body. This is an inconsistency within the API — the same valid token that grants access to profile, vehicle, and story endpoints is not accepted on its own by these six.

Affected Endpoints

  • POST /logout
  • POST /sos_trigger
  • POST /safty_trigger
  • POST /broadcasting_trigger
  • POST /update_user_device_token
  • POST /update_notification_settings
  • POST /send_notification
  • POST /send_custom_notification

Environment

  • Platform: DriveLink Backend API
  • Server: https://project6.dxtserver.com/drivelink_new/public/api/v1
  • Area: Authentication / Alerts / Settings
  • Date Reported: 2026-06-17
  • Testing Phase: Backend API Testing

Steps to Reproduce

  1. Obtain a valid Bearer token via POST /login-with-email.
  2. Send POST /logout with only the Authorization header:
POST /logout
Authorization: Bearer <valid_token>
  1. Observe the response.

Expected Behaviour

A valid token in the Authorization header is sufficient — consistent with every other authenticated endpoint in the API.

Actual Behaviour

{
  "status": 0,
  "message": "The access token field is required.",
  "errors": {
    "access_token": ["The access token field is required."]
  }
}

Workaround

Include the same token in the request body:

{
  "access_token": "<same_token_as_in_authorization_header>"
}

Additional Notes

  • POST /safty_trigger and POST /broadcasting_trigger additionally require latitude and longitude in the body — not needed by any other alert endpoint.
  • POST /send_notification and POST /send_custom_notification also require access_token in the body. Additionally, the data field on both must be a JSON string (a serialised JSON value), not a JSON object. send_custom_notification uses ntype (lowercase), not nType.
  • All other authenticated endpoints (GET /profile/details, GET /vehicles, POST /story/like, etc.) work correctly with only the Authorization header — making these eight endpoints the inconsistent minority.

Impact

  • A client that correctly implements Bearer token auth will silently fail on logout and all alert triggers — the user appears logged in on the client but the server rejects every trigger
  • The inconsistency makes it likely that logout failures go unnoticed, leaving stale tokens active on the server
  • Any automated test or integration must maintain two separate auth patterns for the same API

Severity

Medium

Status

New

Reported By

QA / Testing Team