I’m actually not sure how important that check is from a security perspective, or if it would be safe to remove. @ukstv @dbcfd - any thoughts on if removing that check would open up any attack vectors on our admin API?
There are reasons to include the request path, mostly around cached data and overflowing responses, but given that these are secured with a one time code, I’m not sure what checking the request path here is meant to do. If we were not requiring a one time code for GET as well, then we would want the request path check here.