there is a problem with password reset example as it don't mention hashing reset token before storing it into database ,
to explain what will happend if we didn't hash we basically make a way to ignore the normal password hashing as if database leaked password reset token will be leaked to and then the normal hashed password will be useless just get the token (the plain text) and make new password
pilcrowOnPaper
commented
4 months ago
Description
there is a problem with password reset example as it don't mention hashing reset token before storing it into database , to explain what will happend if we didn't hash we basically make a way to ignore the normal password hashing as if database leaked password reset token will be leaked to and then the normal hashed password will be useless just get the token (the plain text) and make new password