You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The data stored in the token is signed to prevent tampering but not encrypted. This means it is safe to store identification information (such as user IDs) but should not be used to store confidential information (such as credit card numbers).
The docs should reflect current behavior of the module. Now, perhaps someone shouldn't send credit card numbers to the frontend, but it would seem that the implementation does provide secrecy. Please do let me know if I'm off-base, though, and there's some caveat about this crypto that I'm not seeing.
The text was updated successfully, but these errors were encountered:
Environment
Actual behavior
The moduledoc for
Token
statesThis is definitely true of
Token.sign/4
, butToken.encrypt/4
seems to perform actual encryption (Phoenix Implementation, which invokes thePlug.Crypto
implementation). Doing some archeology, it looks like this snippet was written a few years before the implementation ofToken.encrypt/4
.Expected behavior
The docs should reflect current behavior of the module. Now, perhaps someone shouldn't send credit card numbers to the frontend, but it would seem that the implementation does provide secrecy. Please do let me know if I'm off-base, though, and there's some caveat about this crypto that I'm not seeing.
The text was updated successfully, but these errors were encountered: