Question: Why keep the password and password confirmation on the Authorization model?

[joeellis]

I was just going through the code and had a question about this line:

https://github.com/hassox/phoenix_guardian/blob/2a502ac49d696aac73857a092c92345328e899de/web/auth/user_from_auth.ex#L128

Could you explain why it's beneficial to set the password and password_confirmation on the Authorization model at all? AFAICT from the code, it seems like the generated token would be enough for authorization purposes, and this just leaves the password hanging around in memory, which could potentially make it vulnerable to buffer overflow attacks.

You've clearly added it here for a specific purpose though so I'm assuming I'm missing something - I just can't seem to find a reference to these fields being used on an authorization struct anywhere.

Thanks!

[joeellis]

Or, second thought: is it added to allow the password / password_confirmation form fields to be re-populated on signup / signin forms in case of an error?

[hassox]

I think this is just old code that I missed. It used to be that the authorization model converted the PW to the encrypted version but I moved it over.

[mikeni]

i'm wondering what you guys think about storing the encrypted password in the token field. In my past projects the password was on user table and the authorizations table was strictly oauth.