5May
Validating Personal Access Token
I want to implement PATs for an API I am creating and want to know if there are any security issues and might be a better way.
- User requests token, names it, and gives it permissions
- Token is generated on the server and returned for one-time display
- SHA of token is stored in the database tables with matching security
- API calls use SHA of the passed token to lookup in database to authorize
I'm trying to think of a way to salt the hash, but is that really necessary? As a long random string of characters it isn't really feasible to brute-force it, and there should be no duplicates or the same hashed value in any other system that would lead to an issue if the other system were hacked.
Just storing the hash makes it a quick database lookup. I thought about having some other identifier or piece of information be transferred as well, but I think that just complicates it and might lead to exposure of more information.
