Is it necessary to hash REST API tokens?

So I have a REST API and some socket APIs which use a common token validation module. Here are the things that the token module does:

function tokenManager() {
  this.generate = (db, userId, cacheManager) => {
    /*Generates a token for a user and stores it in a db, also puts it in a cache as token: userId key- 
    value pair.*/
  }

  this.verify = async (db, token, cacheManager) => {
    /*Checks the cache if a user is present for the given token and returns the user id. If the token was 
    not found in cache, it verifies it from database and puts it in cache.*/

    //Each time for a successful verification, the token validity is increased by one day.
  }
}

This approach works well, however the tokens are stored in database as plain text. If someone gains access to the database they could get the tokens and make API calls, although rate limiting is present, there is some data compromised. I was planning to hash the API tokens and store them, but a hash compare has to be done on literally every request putting extra computation load on server. (especially bad for node). Is there a better way to implement this? Or is it even necessary to hash API tokens?



Read more here: https://stackoverflow.com/questions/64403682/is-it-necessary-to-hash-rest-api-tokens

Content Attribution

This content was originally published by Clutch Prince at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: