Store the generated tokens as hashed (BCrypt)

[timwis]

Hello, I'd like to use this library but I'm concerned about the fact that the tokens are stored in plain text in the database. For their duration (by default, one hour) they are essentially passwords. I would have expected them to be hashed or at least encrypted before being stored in the database, like a password, no?

I imagine it's less of an issue because they're short-lived, but I guess if an attacker has read access to the database and initiates a login of one of the users, the attacker can get the newly generated token and login as that user. If it were hashed or encrypted, the attacker would need write access to the database and know what hashing/encryption algorithm is used.

I imagine I'm missing something, but passwordless is a pretty close analogue to password reset tokens, and devise encrypts those.

I'd love to know why that's not the case in this library, because otherwise it looks great!

[mikker]

For the same reasons as you state, I didn't find it necessary the first time around.

But you are totally right – there are plenty of reasons to hash them. I don't have much time right now during these weird quarantined times, but eventually we ought to hash the tokens. PRs are very welcome!