A hashed token couldn't be used for lookup... but we are going to move away from usage of tokens for lookup anyway, preferring instead to lookup some other value and then perform a secure comparison. That is true of User sessions, at least - API tokens will still be used for lookup, this is fairly typical and their privileges are limited.
We could use has_secure_password to store a refresh token more securely, or otherwise use BCrypt to accomplish the same thing.
Is this okay?
A hashed token couldn't be used for lookup... but we are going to move away from usage of tokens for lookup anyway, preferring instead to lookup some other value and then perform a secure comparison. That is true of User sessions, at least - API tokens will still be used for lookup, this is fairly typical and their privileges are limited.
We could use has_secure_password to store a refresh token more securely, or otherwise use BCrypt to accomplish the same thing.
Worth consideration.