Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why do we store tokens if we always decode them for validation? #39

Open
georgiana-b opened this issue Dec 29, 2017 · 1 comment
Open

Why do we store tokens if we always decode them for validation? #39

georgiana-b opened this issue Dec 29, 2017 · 1 comment
Labels
question

Comments

@georgiana-b
Copy link
Member

georgiana-b commented Dec 29, 2017
edited
Loading

We use 4 types of tokens in Elvis:

  • access-token
  • refresh-token
  • activation-token
  • reset-password-token
    These are all JWT tokens which means we encode some unique identifier of the user to obtain the token and then decode the token and use that unique identifier for validation.
    So we don't match the received tokens to the tokens stored in the db, does it make sense to keep the tokens in db?
@edgarmarkosov
Copy link
Collaborator

We keep only access and refresh tokens in the db, because if someone somehow will generate access token with the right user data in the it we will reject that token, as it is not stored in our db.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edgarmarkosov @georgiana-b