Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How this gem is different from a JWT system? #543

Closed
rdupz opened this issue Feb 20, 2016 · 1 comment
Closed

How this gem is different from a JWT system? #543

rdupz opened this issue Feb 20, 2016 · 1 comment

Comments

@rdupz
Copy link

rdupz commented Feb 20, 2016

I'm a bit confuse about the design of this authentication system.

  • Is this using JWT under the hood?
  • Why the token should be change at every request (from a security point of view)?
  • Why the token (a hash of it) is stored in the database?
@lynndylanhurley
Copy link
Owner

Is this using JWT under the hood?

No.

Why the token should be change at every request (from a security point of view)?

The longer a token is valid, the longer an attacker has to exploit it. But you can disable this feature if you want.

Why the token (a hash of it) is stored in the database?

The user's access may be revoked or changed between requests. So we must check with the DB on each request. The tokens are hashed for the same reason that passwords are hashed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lynndylanhurley @rdupz