jasonkeene
commented
7 years ago Instead of using a token perhaps it would be a better idea to simply generate an asymetric key pair on the client, send the public key up to the server when presenting the username/password, then there on out we can sign a message to authenticate. Invalidating these keys would be trivial, just zero out the public keys for that user in the database. It would also be cool to have associated meta data so the user could manage authorized sessions.
Currently users have to present their username/password every time they want to login. The client stores the credentials locally, however this is not the most secure thing to do. As a result, a single use token should be given back to the client so it can auth the next time.