You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Because we need to store some reference of the refresh token in the access token too. We can't store it in plain text in there, so we must hash it in order to store it in the access token.
Since we are "sending out" the hash of the refresh token, it can potentially be read if the access token is stolen.
If in the future, there is an API that reads the hash of the refresh token (from the access token) to do some operation that is mutating in nature, then this hashed refresh token might also become a sensitive token.
In general, we want to minimise the set of sensitive tokens stored in the db. So we don't want to store the hashed refresh token either (for future possible changes). So we stored the double hash.
One might argue that this is not really adding any security as of today, and may never add any in the future either (if no such API that takes hash(refresh token) comes along). But then doing another hash before storage is a very cheap operation anyway.. So might as well.
No description provided.
The text was updated successfully, but these errors were encountered: