The DatabaseTokenStore should hash the token IDs to avoid token compromise. While this issue is discussed and prevented using the HmacTokenStore, it would be better to avoid the problem in the first place with hashing. (And discuss/mitigate timing attacks and DoS with HMAC instead).
The
DatabaseTokenStore
should hash the token IDs to avoid token compromise. While this issue is discussed and prevented using theHmacTokenStore
, it would be better to avoid the problem in the first place with hashing. (And discuss/mitigate timing attacks and DoS with HMAC instead).