joeellis
commented
8 years ago Or, second thought: is it added to allow the password / password_confirmation form fields to be re-populated on signup / signin forms in case of an error?
Open joeellis opened 8 years ago
joeellis
commented
8 years ago Or, second thought: is it added to allow the password / password_confirmation form fields to be re-populated on signup / signin forms in case of an error?
hassox
commented
8 years ago I think this is just old code that I missed. It used to be that the authorization model converted the PW to the encrypted version but I moved it over.
mikeni
commented
8 years ago i'm wondering what you guys think about storing the encrypted password in the token field. In my past projects the password was on user table and the authorizations table was strictly oauth.
I was just going through the code and had a question about this line:
https://github.com/hassox/phoenix_guardian/blob/2a502ac49d696aac73857a092c92345328e899de/web/auth/user_from_auth.ex#L128
Could you explain why it's beneficial to set the password and password_confirmation on the Authorization model at all? AFAICT from the code, it seems like the generated token would be enough for authorization purposes, and this just leaves the password hanging around in memory, which could potentially make it vulnerable to buffer overflow attacks.
You've clearly added it here for a specific purpose though so I'm assuming I'm missing something - I just can't seem to find a reference to these fields being used on an authorization struct anywhere.
Thanks!