[Password Reset Service] UserToken_Validate
Question
password-reset-service
Service icon
Forge component by Barduino
Application Type
Service

Hello!

I am taking a look in this component to implement in my app.

When trying to understand it I have some doubts about the UserToken_Validate service action. Inside it you can see that it verifies the IP and the User based on the token.

Going into "User_GetBy_Token" it is doing the Token_Hash action. The Token_Hash is used when creating a token (which makes sense, because it is "hashing" and protecting it before storing in the databased) and when verifying the user based on its token (this is where it does not make sense). 

My questions are:

  • Why are we "hashing" the token that we got as input to then verify it with the database? 
  • We should be checking the database with the input token, not the token hashed again, right? 
  • Like it is it would not match and the token would never be found, right?
  • Should we simply remove the token hash from this action or is there something missing?
Solution

Hi Clarisse,

Hopefully I understood you question correctly.

So the hash functions are one way only, meaning once you hash the token you can't get back to the token from the hash it self (as opposed from encryption where you can both encrypt and decrypt).

In the database, only hashes are stored, so that even if the database gest compromised no one can get the actual tokens.

So if you look on the database for any token, they won't be found. The only way is to hash the token first and then search the database for the corresponding hash.

Best Regards

Hi Barduino,

I get it now! I did not notice that we were sending the token not hashed in the link, I thought we were sending the hashed token. Silly me!

Now this makes total sense! :)

Thank you for your help!

Have a nice week.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.