My current application needs secure tokens for password reset.
These tokens do not contain any state, the security model is that the bearer will use them to talk to the server and the server can look up the associated state.
Also ideally these tokens should be as short as possible.
Currently what I am doing is associating an id (32 bit integer) with a secret (128 bit).
The id and a masked version of the secret are stored in the database.
defp mask(secret) do Base.url_encode64(:crypto.hash(:sha256, secret)) end
The token given to the user is a base64 url encoded string with both id and secret.
def serialize(id, secret) when id <= @maximum_id_value do Base.url_encode64(<<id::32, 0::8, secret::binary>>) end
- My server cannot generate the token so user can only download it at the time of generation
- I can generate a prefix (the first 6 characters come from the id) for a user which is helpful for managing the keys.
My Questions are:
- Is this secure?
- Are there any standards for this type of token?
- If no standards are there any libraries that do just this. I have found libraries that do more but I want just the token creation and serializing and parsing.