The second use case shown on the wiki page of GPII Authorization workflow is the workflow between the local GPII installation and GPII cloud. At the moment, this workflow does not have an authorization process in place to verify:
1. The request is sent by an installation of the local flow manager;
2. This local flow manager has been authorized by the settings owner to access his/her settings.
This means, all http setting requests in the format of :userToken/untrusted-settings/:deviceInfo received at the cloud based flow manager will be processed and the user settings will be returned, regardless of who/where those requests are sent from.
Research is required for adding the authorization for this communication.