Skip to content

Password reset and email verification tokens stored as plaintext in User entity #801

Description

@RUKAYAT-CODER

Overview

src/users/entities/user.entity.ts stores passwordResetToken and emailVerificationToken as plaintext columns. A database read (SQL injection, backup leak, insider threat) directly exposes valid tokens an attacker can use to take over any account.

Specifications

Features:

  • Store only a bcrypt/SHA-256 hash of each token in the database.
  • Validate by hashing the user-supplied token and comparing.

Tasks:

  • In the service that creates tokens, hash before persisting (use crypto.createHash('sha256') for deterministic comparison).
  • In the service that validates tokens, hash the incoming value before querying.
  • Remove the plaintext values from any API response payloads.
  • Add migration to clear existing plaintext tokens.

Impacted Files:

  • src/users/entities/user.entity.ts
  • Auth/user service methods that create/validate these tokens.

Acceptance Criteria

  • DB column contains only the hashed value.
  • Original token is never stored or logged.
  • Token validation still works correctly in tests.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions