Randomly Generated Token is saved directly to the Database

Question

Randomly Generated Token is saved directly to the Database

Closed this issue 9 years ago · 1 comments

I noticed the Token returned by create_token is the same token that has been saved to the database.

This could lead to issues where accidentally revealing a token (i.e. Rails default JSON prints too much info) can allow a malicious user direct access to another account.

Generating a Digest and saving that to the database would be much more secure.

Answer 1 · 2015-06-13T07:16:51.000Z

Let's discuss only in #7