Stale moduledoc for Token regarding token secrecy

[ollien]

Environment

• Elixir version (elixir -v): N/A
• Phoenix version (mix deps): 1.7.11
• Operating system: N/A

Actual behavior

The moduledoc for Token states

The data stored in the token is signed to prevent tampering but not encrypted. This means it is safe to store identification information (such as user IDs) but should not be used to store confidential information (such as credit card numbers).

This is definitely true of Token.sign/4, but Token.encrypt/4 seems to perform actual encryption (Phoenix Implementation, which invokes the Plug.Crypto implementation). Doing some archeology, it looks like this snippet was written a few years before the implementation of Token.encrypt/4.

Expected behavior

The docs should reflect current behavior of the module. Now, perhaps someone shouldn't send credit card numbers to the frontend, but it would seem that the implementation does provide secrecy. Please do let me know if I'm off-base, though, and there's some caveat about this crypto that I'm not seeing.

[josevalim]

@ollien you are correct, can you please send a PR and ping me? I'd be glad to review it and merge it!

[ollien]

Absolutely! I need to find some time (life is getting in the way this week), but it's on my list :)