Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do you store refresh tokens? #348

Open
cottton opened this issue Jul 18, 2021 · 0 comments
Open

How do you store refresh tokens? #348

cottton opened this issue Jul 18, 2021 · 0 comments
Labels
type: feature request

Comments

@cottton
Copy link

cottton commented Jul 18, 2021

I suggest to NOT post how you store your tokens. Dont give hints out in the public.
This post here is more to bring attention to this topic, so ppl do not store refresh tokens as plain text in the db.

Background: #119 (comment)

TL;DR: plain text refresh token in db means if there is a db leak, then the attacker can login with the token.
Means: the refresh token should be handled like a clear text password.

I really would like to see a pretty short but clear description in the readme
that makes clear: the refresh token should be handled like a clear text pw. It must stored hashed in the db.

And since this is PHP-jwt i suggest an example with PHP password_hash() | password_verify().

Thank you.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bshaffer @cottton