Tokens aren't hashed and salted before being stored #13
Labels
design flaw
For future improvement
Comments
|
This was addressed in commit (fd2cc2a), however was then reverted after discussion with @jaylees14 . The problem is that since only a token is sent for authentication, it must be checked against all tokens in the token table. If all tokens are hashed for storing, then the incoming token must be compared to each hashed token using bcrypt. This is not performant, so for now tokens will be stored in plain text. This is viable for the MVP since the quantity of token entries will be low. In the future it makes sense to implement the system using JWT (JSON Web Tokens), which encodes the username/user ID in the token, making lookup efficient. For future reference: |
willjvsmith
added
design flaw
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should be hashed and salted the same as account passwords.
The text was updated successfully, but these errors were encountered: