The password is stored in the ebook_api session cache, which is separate from the main Evergreen session cache. The user does not need to be logged in to Evergreen for an ebook_api session to exist. EG should be verifying the existence of an ebook_api session (or initiating one) first, then caching the password via a callback function. Or at least that's the intended behavior -- there is clearly a bug here.
The password is stored in the ebook_api session cache, which is separate from the main Evergreen session cache. The user does not need to be logged in to Evergreen for an ebook_api session to exist. EG should be verifying the existence of an ebook_api session (or initiating one) first, then caching the password via a callback function. Or at least that's the intended behavior -- there is clearly a bug here.