Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization token is kinda weak. #4

petertorelli opened this issue Jan 7, 2020 · 0 comments

Authorization token is kinda weak. #4

petertorelli opened this issue Jan 7, 2020 · 0 comments


Copy link

@petertorelli petertorelli commented Jan 7, 2020

Seems pointless to store the hash of the auth token if you're sending the auth token to the email address. sure, the hash is "unique" so it is easy to look up the user from the hash of the token without exposing the username, and the only thing a person can do is ACTIVATE the account, so that's not really any kind of risk in there except someone can accidentally authenticate someone or create a new token if theirs expires. I did this because i wanted a way to uniquely identifier a user without exposing their user ID in an unprotected plaintext email, but thinking about it: the chance of a sha256 matching 16 random bytes plus the date is maybe a little more unique, its not like this is mission-critical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.