phx_gen_auth has two functions build_session_token and build_email_token. In build_email_token the token stored in the database is hashed while with build_session_token the token stored in the database is not hashed. Why is this? The comments in the generated code briefly mention this subject. For example, it mentions
The non-hashed token is sent to the user email while the hashed part is stored in the database. The original token cannot be reconstructed, which means anyone with read-only access to the database cannot directly use the token in the application to gain access.
Why does this concern not apply to build_session_token where it also mentions in the comments the following which I do not understand.
Generates a token that will be stored in a signed place, such as session or cookie. As they are signed, those tokens do not need to be hashed.