In my system each user can have multiple api keys. I want to hash api keys and store in a database their hashes. I’m using comeonin for this.
is it sensible to store hashes of api keys rather than their plain, original values?
when an api request comes in, there’s only a plain api key value in it and no user email along with it – this is my system is designed.
How should I check if an api key is valid? Will I have to do this:
given_api_plain_key = get_key_from_request() # re-hash it again # but how about the original salt??? given_api_hash_key = Comeonin.Bcrypt.hashpwsalt(given_api_plain_key) case Repo.get_by(ApiKey, key_hash: given_api_hash_key) do nil -> IO.puts("not found") a -> IO.puts("gooood") end
Or is there a better way?