StackStorm
Hash auth tokens like API keys
Currently, auth tokens are stored in the database as is and unencrypted. If the st2 database is compromised, all the auth tokens connected to the users can be misused. Instead of storing the actual value of the auth tokens in the database, hash the auth tokens like we do with the API keys. The st2 API can validate the auth token in the request by generate the signature and matching the hash value. If the st2 database is compromised, the hashes cannot be used as auth tokens. If an auth token is compromised, the exposure is limited.
Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}