Password reset tokens: hash + expiry

553 views

                  import crypto from 'node:crypto';

export function createResetToken() {
  const token = crypto.randomBytes(32).toString('hex');
  const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
  const expiresAt = new Date(Date.now() + 30 * 60 * 1000);
  return { token, tokenHash, expiresAt };
}

Reset flows are a common place to accidentally store secrets in the database. I generate a random token, email it to the user, and store only a hash in the DB alongside an expiry timestamp. When the user redeems the token, I hash what they provide and compare. That way, even if the DB leaks, reset tokens can’t be used directly. I invalidate tokens after first use and keep the TTL short. Another detail: I return the same response whether the email exists or not to avoid account enumeration. Most auth security is about these boring edge cases—doing them consistently prevents a lot of real-world abuse.

Mateo Rodriguez

More from Mateo Rodriguez

Password reset tokens: hash + expiry

0 Comments

More from Mateo Rodriguez