Replies: 1 comment 2 replies
-
|
the tokens are stored as SHA265 hashes in our database
I don't see why we would need a plaintext |
Beta Was this translation helpful? Give feedback.
-
|
@Turbo87 how are permissions implemented for api tokens? and how do you handle that granularity? and make sure that mistakes don't happen? is there some way to prove the permissions system is correct? |
Beta Was this translation helpful? Give feedback.
-
|
probably easiest to look directly at the code in this repository to answer the question 😉 |
Beta Was this translation helpful? Give feedback.
-
crates.io has an api to publish crates from the cli. that requires creating a api token.
i want to know how is the token stored in the database? how does it know that it is my token?
is the token stored as plain text or as a hash? if it is hashed, does it also use salt? if yes, then the newly calculated hash when the request is received and the hashed token stored in the table won't match. so how does it match tokens using select statements?
i think this problem can be avoided by using api_key and api_secret where the api_key is stored as plaintext and the api_secret is hashed. it works just like username and password.
but how to do with just single value?
Beta Was this translation helpful? Give feedback.
All reactions