Overview
src/users/entities/user.entity.ts stores passwordResetToken and emailVerificationToken as plaintext columns. A database read (SQL injection, backup leak, insider threat) directly exposes valid tokens an attacker can use to take over any account.
Specifications
Features:
- Store only a bcrypt/SHA-256 hash of each token in the database.
- Validate by hashing the user-supplied token and comparing.
Tasks:
- In the service that creates tokens, hash before persisting (use
crypto.createHash('sha256') for deterministic comparison).
- In the service that validates tokens, hash the incoming value before querying.
- Remove the plaintext values from any API response payloads.
- Add migration to clear existing plaintext tokens.
Impacted Files:
src/users/entities/user.entity.ts
- Auth/user service methods that create/validate these tokens.
Acceptance Criteria
- DB column contains only the hashed value.
- Original token is never stored or logged.
- Token validation still works correctly in tests.
Overview
src/users/entities/user.entity.tsstorespasswordResetTokenandemailVerificationTokenas plaintext columns. A database read (SQL injection, backup leak, insider threat) directly exposes valid tokens an attacker can use to take over any account.Specifications
Features:
Tasks:
crypto.createHash('sha256')for deterministic comparison).Impacted Files:
src/users/entities/user.entity.tsAcceptance Criteria