Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Seems pointless to store the hash of the auth token if you're sending the auth token to the email address. sure, the hash is "unique" so it is easy to look up the user from the hash of the token without exposing the username, and the only thing a person can do is ACTIVATE the account, so that's not really any kind of risk in there except someone can accidentally authenticate someone or create a new token if theirs expires. I did this because i wanted a way to uniquely identifier a user without exposing their user ID in an unprotected plaintext email, but thinking about it: the chance of a sha256 matching 16 random bytes plus the date is maybe a little more unique, its not like this is mission-critical.