Since Homematic doesn't offer any other ways to report bugs (I had expected that issues would also be posted on connect-api), I'm reporting the problem here:
If a plugin successfully connects after authorization, the WebSocket connection remains open even if authorization is subsequently revoked.
This is a security concern because, even after the (plugin) user is removed, the connection to the HCU1 remains active and data can still be sent back and forth.
Since Homematic doesn't offer any other ways to report bugs (I had expected that issues would also be posted on connect-api), I'm reporting the problem here:
If a plugin successfully connects after authorization, the WebSocket connection remains open even if authorization is subsequently revoked.
This is a security concern because, even after the (plugin) user is removed, the connection to the HCU1 remains active and data can still be sent back and forth.