The DatabaseTokenStore should hash the token IDs to avoid token compromise. While this issue is discussed and prevented using the HmacTokenStore, it would be better to avoid the problem in the first place with hashing. (And discuss/mitigate timing attacks and DoS with HMAC instead).
NeilMadden
commented
4 years ago
The
DatabaseTokenStoreshould hash the token IDs to avoid token compromise. While this issue is discussed and prevented using theHmacTokenStore, it would be better to avoid the problem in the first place with hashing. (And discuss/mitigate timing attacks and DoS with HMAC instead).