-
-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store the generated tokens as hashed (BCrypt) #80
Comments
For the same reasons as you state, I didn't find it necessary the first time around. But you are totally right – there are plenty of reasons to hash them. I don't have much time right now during these weird quarantined times, but eventually we ought to hash the tokens. PRs are very welcome! |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I'd like to use this library but I'm concerned about the fact that the tokens are stored in plain text in the database. For their duration (by default, one hour) they are essentially passwords. I would have expected them to be hashed or at least encrypted before being stored in the database, like a password, no?
I imagine it's less of an issue because they're short-lived, but I guess if an attacker has read access to the database and initiates a login of one of the users, the attacker can get the newly generated token and login as that user. If it were hashed or encrypted, the attacker would need write access to the database and know what hashing/encryption algorithm is used.
I imagine I'm missing something, but passwordless is a pretty close analogue to password reset tokens, and devise encrypts those.
I'd love to know why that's not the case in this library, because otherwise it looks great!
The text was updated successfully, but these errors were encountered: